This is the Splunk Enterprise REST API Reference Manual, which gives summary and detailed endpoint descriptions for accessing REST resources. Read the REST API User Manual for basic concepts you need to know before using the API.
This introduction describes how to use the reference documentation.
The documentation groups resources into the following categories.
| Category | Description |
|---|---|
| Access control | Authorize and authenticate users. |
| Applications | Install applications and application templates. |
| Clusters | Configure and manage cluster master and peer nodes. |
| Configuration | Manage configuration files and settings. |
| Deployment | Manage deployment servers and clients. |
| Inputs | Manage data input. |
| Introspection | Access system properties. |
| Knowledge | Define indexed and searched data configurations. |
| KV store | Manage app key-value store. |
| Licensing | Manage licensing configurations. |
| Outputs | Manage forwarder data configuration. |
| Search | Manage searches and search-generated alerts and view objects. |
| System | Manage server configuration. |
Iterating over the REST endpoints shows more endpoints and methods than are described in this reference. These might be used internally by Splunk for testing, debugging, and monitoring. Conforming applications and usage shall use only the endpoints and methods as described in this reference.
Splunk Enterprise REST API documentation
Tools
The API documentation uses the following formatting conventions to describe the resource interface.
Endpoint descriptions use the URI as the endpoint name, beginning with the resource name. For example,
apps/appinstall
is the name of the
/services/apps/appinstall
or
/servicesNS/<user>/<app>/apps/appinstall
endpoint.
Deprecated methods have the "[DEPRECATED]" string after the name.
The Synopsis section shows the generic URL and parameter syntax for referencing the resource. It shows the GET method syntax unless the endpoint supports only the POST method.
The Description section gives a short description of the endpoint function. See the method Application usage section for application considerations about how to use the interface.
The See also section includes links to reference documentation and related API descriptions that might provide more context for the endpoint.
A table listing the methods supported by the API, for this endpoint. Entries include the method name (operation) with a link to the method, a short description of the method function, and the supported data formats.
For each method listed in the method summary, DELETE, GET, and POST methods provide more detailed information about the method.
Click the Example link to view example API request and response calls.
Simple examples of how to make a request on the endpoint and what the response data looks like.
Your system must be configured appropriately to get the response shown in the examples. For example, a dynamic job ID parameter can be expected to be different for your setup. If needed, you can modify the examples to match your system configuration and state, including changing the hostname and port number.
The examples show typical endpoint request syntax using the cURL command-line utility, unless another mechanism is more appropriate for the endpoint.
cURL is available with your *NIX distribution or from the following resources:
See the cURL manpage for command-line options.
An example of the default XML response for a minimally configured system follows the request.
You can also access endpoints by using the httplib2 Python library distributed with Splunk Enterprise. For example:
import httplib2
hostName = "localhost"
managementPort = "8089"
userName ="admin"
userPassword = "changeme"
testUri = "/services/apps/local"
h = httplib2.Http(".cache", disable_ssl_certificate_validation=True)
h.add_credentials(userName, userPassword)
base_url = "https://" + hostName + ":" + managementPort
try:
response, content = h.request(base_url + testUri, "GET")
if (response['status'] >= '200' and response['status'] <= '204'):
print content
else:
print response['status']
except Exception, e:
print "Exception: '%s'" % e
REST client browser plugins are a convenient way to exercise the REST API, and are available for all popular browsers. See #References.
Powershell users can use Invoke-RestMethod.
To improve readability, the following response elements are elided using the ... elided ... notation.
Most responses include <opensearch> elements for paging. The opensearch elements are elided to improve readability.
All responses include an Access Control List (ACL) element that defines permissions for accessing the endpoint. The <eia:acl> element is elided to improve readability.
Some GET responses include an EIA attribute element that defines required, optional, and wildcard endpoint elements. The <eai:attributes> element is elided to improve readability.
Multiple data content entries might be elided to improve readability.
A list of support request parameters are described in terms of parameter name, datatype, default value, and a short description.
Required parameters are indicated by the required string with the parameter name.
The following request parameters are valid for some GET methods, as the endpoint documentation indicates.
Conforming endpoints might not support all of these parameters.
| Name | Datatype | Default | Description |
|---|---|---|---|
| count | Number | 30
| Maximum number of entries to return. Set value to zero to get all available entries. |
| offset | Number | 0
| Index of first item to return. |
| search | String | Response filter, where the response field values are matched against this search expression.
Example:
| |
| sort_dir | Enum | asc
| Response sort order:
|
| sort_key | String | name
| Field name to use for sorting. |
| sort_mode | Enum | auto
| Collated ordering:
|
| summarize | Bool | false
| Response type:
|
Response content data are key-value pairs. All valid parameters are listed with their name and description.
Responses can include one of the following HTTP status codes, in addition to content data. Status codes are not listed because the API generally follows the HTTP standard for reporting status. But, the documentation does note status codes with special significance or where the cause differs from the standard.
In addition to the HTTP status code, many request error conditions also return an error message. For example:
<response>
<messages>
<msg type="ERROR">
In handler 'datamodelgenerate': The following required arguments are missing: sid.
</msg>
</messages>
</response>
EAI response data, the <eia:acl> and <eai:attributes> elements, typically apply to all endpoints and are configuration-dependent, so redundant explanation is omitted. These elements are also elided from the response examples to make the documentation easier to read.
The REST implementation enforces ownership and permissions for a resource based on application context namespace. The ACL includes the following parameters.
Parameter Description app The app context for the resource. Allowed values are:
- The name of an app
systemcan_list For internal use only for the Splunk Web manager UI. can_share_* Indicates whether or not the current user can change the sharing state. The sharing state can be one of:
- can_share_app = App-level sharing
- can_share_global = Global sharing
- can_share_user = User-level sharing
can_write Indicates whether or not the current user can edit this item. owner The user that owns the resource. A value of
nobodyindicates that all users have access to the resource, but that write access to the resource might be restricted.modifiable Indicates whether or not you can change the Access Control List (ACL). Set to false for items not controlled by ACLs, such as items under
/server/logger.perms.read Properties that indicate read permissions of the resource. perms.write Properties that indicate write permissions of the resource. removable Indicates if an admin or user with sufficient permissions can remove the entity. sharing Indicates how the resource is shared. Allowed values are:
app= Shared through an app.global= Shared to all apps.user= Private to a user.
Theeai:attributeselement shows the mandatory and optional fields.
Attribute Description optionalFields Field is optional. requiredFields Field is required. wildcardFields Field can use wildcard.
The Application usage section gives detailed information on the intended use of the method for the endpoint.
If applicable, the See also section has links to related endpoints and documentation.
alerts/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| alerts/fired_alerts | Search Access all fired alerts |
◯ |
No | |||
| alerts/fired_alerts/{name} | Search Access specific fired alert |
◯ |
◯ |
No |
apps/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| apps/appinstall | Applications Install app from URL or local file |
◯ |
No | |||
| apps/apptemplates | Applications Access app templates for creating new apps |
◯ |
No | |||
| apps/apptemplates/{name} | Applications Access particular app template |
◯ |
No | |||
| apps/local | Applications Manage local apps |
◯ |
◯ |
No | ||
| apps/local/{name} | Applications Manage specific local app |
◯ |
◯ |
◯ |
No | |
| apps/local/{name}/package | Applications Archive an app |
◯ |
No | |||
| apps/local/{name}/setup | Applications Access setup information for an app |
◯ |
No | |||
| apps/local/{name}/update | Applications Access update information for an app |
◯ |
No |
authentication/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| auth/login | Access control Provide user authentication |
◯ |
No | |||
| authentication/current-context | Access control Access current user contexts |
◯ |
No | |||
| authentication/current-context/{name} | Access control Access specific user context |
◯ |
No | |||
| authentication/httpauth-tokens | Access control Manage session tokens |
◯ |
No | |||
| authentication/httpauth-tokens/{name} | Access control Manage specific session token |
◯ |
◯ |
No | ||
| authentication/users | Access control Manage user accounts |
◯ |
◯ |
No | ||
| authentication/users/{name} | Access control Manage specific user account |
◯ |
◯ |
◯ |
No |
authorization/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| authorization/capabilities | Access control Access capability authorization |
◯ |
◯ |
◯ |
No | |
| authorization/roles | Access control Access user roles |
◯ |
◯ |
No | ||
| authorization/roles/{name} | Access control Access specific user role |
◯ |
◯ |
◯ |
No |
cluster/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| cluster/config | Clusters Manage cluster configuration |
◯ |
No | |||
| cluster/config/{name} | Clusters Manage specific cluster configuration |
◯ |
◯ |
No | ||
| cluster/master/buckets | Clusters Access master node bucket configurations |
◯ |
No | |||
| cluster/master/buckets/{name} | Clusters Access specific bucket configuration, master node |
◯ |
No | |||
| cluster/master/control/control/rebalance_primaries | Clusters Access master controls to rebalance primary buckets across peers |
◯ |
No | |||
| cluster/master/control/control/remove_peers | Clusters Remove disabled peer nodes. |
◯ |
No | |||
| cluster/master/generation | Clusters Access current generations information, master node |
◯ |
◯ |
No | ||
| cluster/master/generation/{name} | Clusters Access specific generation information, cluster master |
◯ |
◯ |
No | ||
| cluster/master/indexes | Clusters Access cluster index information |
◯ |
No | |||
| cluster/master/indexes/{name} | Clusters Access specific cluster index information |
◯ |
No | |||
| cluster/master/info | Clusters Access cluster master node information |
◯ |
No | |||
| cluster/master/peers | Clusters Access peer information, master node |
◯ |
No | |||
| cluster/master/peers/{name} | Clusters Access specific master node peer information |
◯ |
No | |||
| cluster/master/sites | Clusters Access cluster site information |
◯ |
No | |||
| cluster/master/sites/{name} | Clusters Access specific cluster site information |
◯ |
No | |||
| cluster/searchhead/generation | Clusters Access searchhead peer information |
◯ |
No | |||
| cluster/searchhead/generation/{name} | Clusters Access specific searchhead peer information |
◯ |
No | |||
| cluster/searchhead/searchheadconfig | Clusters Access cluster configuration for searchhead |
◯ |
◯ |
No | ||
| cluster/searchhead/searchheadconfig/{name} | Clusters Access specific cluster node |
◯ |
◯ |
◯ |
No | |
| cluster/slave/buckets | Clusters Access peer bucket configuration information |
◯ |
No | |||
| cluster/slave/buckets/{name} | Clusters Access specific peer bucket configuration information |
◯ |
◯ |
No | ||
| cluster/slave/info | Clusters Access peer node information |
◯ |
No | |||
| cluster/slave/info/{name} | Clusters Access information about specific peer |
◯ |
No |
configs/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| configs/conf-{file} | Configuration Raw access to .conf files
|
◯ |
◯ |
No | ||
| configs/conf-{file}/{name} | Configuration Raw access to specific .conf file
|
◯ |
◯ |
◯ |
No |
data/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| data/commands | Search Access search commands |
◯ |
No | |||
| data/commands/{name} | Search Access specific search command |
◯ |
No | |||
| data/index-volumes | Introspection Access logical drive information |
◯ |
No | |||
| data/index-volumes/{name} | Introspection Access information for a logical drive |
◯ |
No | |||
| data/indexes | Introspection Manage data indexes |
◯ |
◯ |
No | ||
| data/indexes/{name} | Introspection Manage specific data index |
◯ |
◯ |
◯ |
No | |
| data/indexes-extended | Introspection Access index bucket level information |
◯ |
No | |||
| data/indexes-extended/{name} | Introspection Access specific index bucket level information |
◯ |
No | |||
| data/inputs/ad | Inputs Access Active Directory monitoring input |
◯ |
◯ |
No | ||
| data/inputs/ad/{name} | Inputs Access Active Directory monitoring stanza |
◯ |
◯ |
◯ |
No | |
| data/inputs/all | Inputs Access all inputs, including Modular Inputs |
◯ |
No | |||
| data/inputs/all/{name} | Inputs Access specific input |
◯ |
No | |||
| data/inputs/monitor | Inputs Access monitor inputs |
◯ |
◯ |
No | ||
| data/inputs/monitor/{name} | Inputs Manage specific monitor input |
◯ |
◯ |
◯ |
No | |
| data/inputs/monitor/{name}/members | Inputs Access files for the specific monitor input |
◯ |
No | |||
| data/inputs/oneshot | Inputs Access one-shot inputs |
◯ |
◯ |
No | ||
| data/inputs/oneshot/{name} | Inputs Access specific one-shot input information |
◯ |
No | |||
| data/inputs/registry | Inputs Access Windows registry monitor input |
◯ |
◯ |
No | ||
| data/inputs/registry/{name} | Inputs Manage Windows registry monitor stanza |
◯ |
◯ |
◯ |
No | |
| data/inputs/script | Inputs Manage scripted inputs settings |
◯ |
◯ |
No | ||
| data/inputs/script/restart | Inputs Restart scripted input |
◯ |
No | |||
| data/inputs/script/{name} | Inputs Manage specific scripted input |
◯ |
◯ |
◯ |
No | |
| data/inputs/tcp/cooked | Inputs Access forwarder TCP inputs |
◯ |
◯ |
No | ||
| data/inputs/tcp/cooked/{name} | Inputs Manage TCP inputs for specific host:port |
◯ |
◯ |
◯ |
No | |
| data/inputs/tcp/cooked/{name}/connections | Inputs Access connections for specific port |
◯ |
No | |||
| data/inputs/tcp/raw | Inputs Manage raw forwarder TCP inputs |
◯ |
◯ |
No | ||
| data/inputs/tcp/raw/{name} | Inputs Access raw TCP input information |
◯ |
◯ |
◯ |
No | |
| data/inputs/tcp/raw/{name}/connections | Inputs Manage raw TCP input information for specific host:port |
◯ |
No | |||
| data/inputs/tcp/ssl | Inputs Access SSL configuration information |
◯ |
No | |||
| data/inputs/tcp/ssl/{name} | Inputs Access SSL configuration for specific host |
◯ |
◯ |
No | ||
| data/inputs/udp | Inputs Access UDP inputs |
◯ |
◯ |
No | ||
| data/inputs/udp/{name} | Inputs Manage specific UDP input |
◯ |
◯ |
◯ |
No | |
| data/inputs/udp/{name}/connections | Inputs Manage specific UDP input connection |
◯ |
No | |||
| data/inputs/win-event-log-collections | Inputs Access all configured event log collections |
◯ |
◯ |
No | ||
| data/inputs/win-event-log-collections/{name} | Inputs Manage specific event log |
◯ |
◯ |
◯ |
No | |
| data/inputs/win-perfmon | Inputs Access Windows performance monitor information |
◯ |
◯ |
No | ||
| data/inputs/win-perfmon/{name} | Inputs Manage specific performance monitor configuration stanza |
◯ |
◯ |
◯ |
No | |
| data/inputs/win-wmi-collections | Inputs Access configured WMI collections |
◯ |
◯ |
No | ||
| data/inputs/win-wmi-collections/{name} | Inputs Manage specific WMI collection |
◯ |
◯ |
◯ |
No | |
| data/lookup-table-files | Knowledge Access lookup table files |
◯ |
◯ |
No | ||
| data/lookup-table-files/{name} | Knowledge Manage specific lookup table file |
◯ |
◯ |
◯ |
No | |
| data/modular-inputs | Inputs Access defined modular inputs |
◯ |
No | |||
| data/modular-inputs/{name} | Inputs Manage specific modular input |
◯ |
No | |||
| data/outputs/tcp/default | Outputs Access global TCP output properties |
◯ |
◯ |
No | ||
| data/outputs/tcp/default/{name} | Outputs Manage specific TCP output property setting |
◯ |
◯ |
◯ |
No | |
| data/outputs/tcp/group | Outputs Access data forwarding group configurations |
◯ |
◯ |
No | ||
| data/outputs/tcp/group/{name} | Outputs Manage specific data forwarding group |
◯ |
◯ |
◯ |
No | |
| data/outputs/tcp/server | Outputs Access data forwarding configurations |
◯ |
◯ |
No | ||
| data/outputs/tcp/server/{name} | Outputs Manage specific forwarder configuration |
◯ |
◯ |
◯ |
No | |
| data/outputs/tcp/server/{name}/allconnections | Outputs Access current connections for specific forwarder |
◯ |
No | |||
| data/outputs/tcp/syslog | Outputs Access forwarded server configured to provide data in standard syslog format |
◯ |
◯ |
No | ||
| data/outputs/tcp/syslog/{name} | Outputs Manage specific forwarder, which sends data in syslog format |
◯ |
◯ |
◯ |
No | |
| data/props/calcfields | Knowledge Access props.conf file calculated fields
|
◯ |
◯ |
No | ||
| data/props/calcfields/{name} | Knowledge Manage specific props.conf file calculated field
|
◯ |
◯ |
◯ |
No | |
| data/props/extractions | Knowledge Access props.conf file search-time field extractions
|
◯ |
◯ |
No | ||
| data/props/extractions/{name} | Knowledge Manage specific props.conf file field extraction
|
◯ |
◯ |
◯ |
No | |
| data/props/fieldaliases | Knowledge Access props.conf file field aliases
|
◯ |
◯ |
No | ||
| data/props/fieldaliases/{name} | Knowledge Manage specific props.conf file field alias
|
◯ |
◯ |
◯ |
No | |
| data/props/lookups | Knowledge Access props.conf file automatic lookups
|
◯ |
◯ |
No | ||
| data/props/lookups/{name} | Knowledge Manage specific props.conf file automatic lookup
|
◯ |
◯ |
◯ |
No | |
| data/props/sourcetype-rename | Knowledge Access renamed sourcetypes configured in props.conf file
|
◯ |
◯ |
No | ||
| data/props/sourcetype-rename/{name} | Knowledge Manage specific props.conf file sourcetype name
|
◯ |
◯ |
◯ |
No | |
| data/transforms/extractions | Knowledge Access field extraction definitions |
◯ |
◯ |
No | ||
| data/transforms/extractions/{name} | Knowledge Manage specific field extraction definition |
◯ |
◯ |
◯ |
No | |
| data/transforms/lookups | Knowledge Access transforms.conf file lookup definitions
|
◯ |
◯ |
No | ||
| data/transforms/lookups/{name} | Knowledge Manage specific transforms.conf file lookup definition
|
◯ |
◯ |
◯ |
No |
datamodel/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| datamodel/model | Knowledge Access information about data models |
◯ |
◯ |
No | ||
| datamodel/model/{name} | Knowledge Access information about a data model |
◯ |
◯ |
◯ |
No | |
| datamodel/acceleration | Knowledge [DEPRECATED] Access information about data models that have acceleration enabled |
◯ |
No | |||
| datamodel/acceleration/{name} | Knowledge [DEPRECATED] Access information about specific data models that has acceleration enabled |
◯ |
No | |||
| datamodel/pivot | Knowledge Access pivots based on named data models |
◯ |
No |
deployment/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| deployment/client | Deployment Access deployment client information |
◯ |
No | |||
| deployment/client/config | Deployment Access deployment client configuration |
◯ |
No | |||
| deployment/client/config/listIsDisabled | Deployment Access deployment client state information |
◯ |
No | |||
| deployment/client/config/reload | Deployment Access deployment client reload information |
◯ |
No | |||
| deployment/client/{name}/reload | Deployment Manage specific deployment client reload |
◯ |
No | |||
| deployment/server/applications | Deployment Access deployment server application and class information |
◯ |
No | |||
| deployment/server/applications/{name} | Deployment Manage specific server client application and class information |
◯ |
◯ |
No | ||
| deployment/server/clients | Deployment Access deployment server client information |
◯ |
No | |||
| deployment/server/clients/countClients_by_machineType | Deployment Access deployment server client information by machine type |
◯ |
No | |||
| deployment/server/clients/countRecentDownloads | Deployment Access client download information |
◯ |
No | |||
| deployment/server/clients/{name} | Deployment Manage specific client |
◯ |
◯ |
No | ||
| deployment/server/config | Deployment Access deployment server configuration |
◯ |
No | |||
| deployment/server/config/attributesUnsupportedInUI | Deployment Access deployment server attributes not available using Splunk Web |
◯ |
No | |||
| deployment/server/config/listIsDisabled | Deployment Access deployment server state |
◯ |
No | |||
| deployment/server/serverclasses | Deployment Access server class information |
◯ |
◯ |
No | ||
| deployment/server/serverclasses/{name} | Deployment Manage specific server class of deployment server |
◯ |
◯ |
◯ |
No | |
| deployment/server/serverclasses/rename | Deployment Manage server class name |
◯ |
No |
directory/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| directory | Knowledge Access user-configurable entities |
◯ |
No | |||
| directory/{name} | Knowledge Manage specific entity in directory service enumeration |
◯ |
No |
indexing/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| indexing/preview | Deployment Preview events from a file before indexing |
◯ |
◯ |
No | ||
| indexing/preview/{job_id} | Inputs Access props.conf file settings for specific data preview job
|
◯ |
No |
licenser/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| licenser/groups | Licensing Access licenser groups configuration |
◯ |
No | |||
| licenser/groups/{name} | Licensing Manage specific licenser group configuration |
◯ |
◯ |
No | ||
| licenser/licenses | Licensing Access licenses |
◯ |
◯ |
No | ||
| licenser/licenses/{name} | Licensing Manage specific license |
◯ |
◯ |
No | ||
| licenser/localslave | Licensing Get information about relevant license state for the splunk instance. |
◯ |
Yes | |||
| licenser/messages | Licensing Access licenser messages |
◯ |
No | |||
| licenser/messages/{name} | Licensing Access specific licenser message |
◯ |
No | |||
| licenser/pools | Licensing Access licenser pool information |
◯ |
◯ |
No | ||
| licenser/pools/{name} | Licensing Manage specific licenser pool |
◯ |
◯ |
◯ |
No | |
| licenser/slaves | Licensing Access license master slaves |
◯ |
No | |||
| licenser/slaves/{name} | Licensing Access specific license master slave |
◯ |
No | |||
| licenser/stacks | Licensing Access license stack configuration |
◯ |
No | |||
| licenser/stacks/{name} | Licensing Access specific license stack configuration |
◯ |
No |
messages/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| messages | System Manage system messages |
◯ |
◯ |
No | ||
| messages/{name} | System Manage specific system message |
◯ |
◯ |
No |
properties/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| properties | Configuration Access configuration files |
◯ |
◯ |
No | ||
| properties/{file_name} | Configuration Manage specific configuration file |
◯ |
◯ |
No | ||
| properties/{file_name}/{stanza_name} | Configuration Manage specific configuration file stanzas |
◯ |
◯ |
No | ||
| properties/{file_name}/{stanza_name}/{key_name} | Configuration Manage specific stanza in specific configuration file |
◯ |
◯ |
No |
receivers/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| receivers/simple | Inputs Use HTTP to send events |
◯ |
No | |||
| receivers/stream | Inputs Use socket to stream events |
◯ |
No |
saved/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| saved/eventtypes | Knowledge Manage saved event types |
◯ |
◯ |
No | ||
| saved/eventtypes/{name} | Knowledge Manage specific saved event type |
◯ |
◯ |
◯ |
No | |
| saved/searches | Search Manage saved searches configuration |
◯ |
◯ |
No | ||
| saved/searches/{name} | Search Manage specific saved search |
◯ |
◯ |
◯ |
No | |
| saved/searches/{name}/acknowledge | Search Manage saved search alerting |
◯ |
No | |||
| saved/searches/{name}/dispatch | Search Dispatch saved search |
◯ |
No | |||
| saved/searches/{name}/history | Search Access saved search job history |
◯ |
No | |||
| saved/searches/{name}/reschedule | Search Manage saved search job scheduling |
◯ |
No | |||
| saved/searches/{name}/scheduled_times | Search Access saved search scheduled times |
◯ |
No | |||
| saved/searches/{name}/suppress | Search Access saved search alerting state |
◯ |
No |
scheduled/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| scheduled/views | Search Access scheduled views for PDF delivery |
◯ |
No | |||
| scheduled/views/{name} | Search Manage specific scheduled view |
◯ |
◯ |
◯ |
No | |
| scheduled/views/{name}/dispatch | Search Dispatch search for specific scheduled view |
◯ |
No | |||
| scheduled/views/{name}/history | Search Access specific scheduled view job history |
◯ |
No | |||
| scheduled/views/{name}/reschedule | Search Manage scheduled view scheduling |
◯ |
No | |||
| scheduled/views/{name}/scheduled_times | Search Access specific scheduled view times |
◯ |
No |
search/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| search/distributed/bundle-replication-files | Deployment Access distributed search bundle replication files |
◯ |
No | |||
| search/distributed/bundle-replication-files/{name} | Deployment Access specific search bundle replication file |
◯ |
No | |||
| search/distributed/config | Deployment Access distributed search options |
◯ |
No | |||
| search/distributed/peers | Deployment Manage distributed server peers |
◯ |
No | |||
| search/distributed/peers/{name} | Deployment Manage distributed server peers |
◯ |
No | |||
| search/fields | Knowledge Access search field configuration |
◯ |
No | |||
| search/fields/{field_name} | Knowledge Access specific search field configuration |
◯ |
No | |||
| search/fields/{field_name}/tags | Knowledge Manage tags associated with specific search field |
◯ |
◯ |
No | ||
| search/jobs | Search Manage search jobs |
◯ |
◯ |
No | ||
| search/jobs/{search_id} | Search Manage specific search job |
◯ |
◯ |
◯ |
No | |
| search/jobs/{search_id}/control | Search Execute job control command for specific search |
◯ |
No | |||
| search/jobs/{search_id}/events | Search Access events for specific search |
◯ |
No | |||
| search/jobs/{search_id}/results | Search Access results of specific search |
◯ |
No | |||
| search/jobs/{search_id}/results_preview | Search Access preview results for specific search |
◯ |
No | |||
| search/jobs/{search_id}/search.log | Search Access search.log file for specific search
|
◯ |
No | |||
| search/jobs/{search_id}/summary | Search Access getFieldsAndStats output of so-far-read events
|
◯ |
No | |||
| search/jobs/{search_id}/timeline | Search Access event distribution over time |
◯ |
No | |||
| search/jobs/export | Search Stream search results |
◯ |
◯ |
No | ||
| search/parser | Search Access search language parsing services |
◯ |
No | |||
| search/tags | Knowledge Access search time tags |
◯ |
No | |||
| search/tags/{tag_name} | Knowledge Manage specific search time tag |
◯ |
◯ |
◯ |
No | |
| search/timeparser | Search Parse time argument |
◯ |
No | |||
| search/typeahead | Search Suggest search string auto-completion strings |
◯ |
No |
server/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| server/control | System Access server controls |
◯ |
No | |||
| server/control/restart | System Restart Splunk Enterprise splunkd server daemon. |
◯ |
No | |||
| server/control/restart_webui | System Restart Splunk Enterprise splunkweb Web interface process. |
◯ |
No | |||
| server/info | Introspection Access server configuration |
◯ |
No | |||
| server/introspection | Introspection List introspection resources |
◯ |
No | |||
| server/introspection/indexer | Introspection Get indexer status |
◯ |
No | |||
| server/introspection/kvstore | Introspection List app kvstore status resources |
◯ |
No | |||
| server/introspection/kvstore/collectionstats | Introspection Get storage statistics for a collection. |
◯ |
No | |||
| server/introspection/kvstore/replicasetstats | Introspection Get the status of the replica set from the point of view of the current server. |
◯ |
No | |||
| server/introspection/kvstore/serverstatus | Introspection Get an overview of the database process state. |
◯ |
No | |||
| server/logger | System Access logging categories |
◯ |
No | |||
| server/logger/{name} | System Manage specific logging category |
◯ |
◯ |
No | ||
| server/roles | System Access server configuration |
◯ |
No | |||
| server/settings | System Access server configuration |
◯ |
No | |||
| server/status | Introspection Access system status information |
◯ |
No | |||
| server/status/dispatch-artifacts | Introspection Access search job information |
◯ |
No | |||
| server/status/fishbucket | Introspection Access information about the private BTree database |
◯ |
No | |||
| server/status/limits/search-concurrency | Introspection Access search concurrency metrics |
◯ |
No | |||
| server/status/partitions-space | Introspection Access disk utilization information |
◯ |
No | |||
| server/status/resource-usage | Introspection Access current resource utilization information |
◯ |
No | |||
| server/status/resource-usage/hostwide | Introspection Access host-level resource utilization information |
◯ |
No | |||
| server/status/resource-usage/splunk-processes | Introspection Access operating system resource utilization information |
◯ |
No |
shcluster/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| shcluster/captain/artifacts | Clusters Get artifact configuration information for a cluster captain node. |
◯ |
No | |||
| shcluster/captain/artifacts/{name} | Clusters Get artifact configuration information for {name} node. |
◯ |
No | |||
| shcluster/captain/info | Clusters Access information about searchhead cluster captain node. |
◯ |
No | |||
| shcluster/captain/jobs | Clusters List running and recently finished jobs for all cluster members. |
◯ |
No | |||
| shcluster/captain/jobs/{name} | Clusters Get running and recently finished jobs for {name} cluster. |
◯ |
No | |||
| shcluster/captain/members | Clusters List cluster members. |
◯ |
No | |||
| shcluster/captain/members/{name} | Clusters Get information about the {name} searchhead cluster member. |
◯ |
No | |||
| shcluster/config | Clusters List searchhead cluster node configuration. |
◯ |
No | |||
| shcluster/member/artifacts | Clusters Get searchhead cluster member artifact configuration. |
◯ |
No | |||
| shcluster/member/artifacts/{name} | Clusters Get {name} member artifact configuration. |
◯ |
No | |||
| shcluster/member/consensus | Clusters Get latest cluster configuration from the raft consensus protocol. |
◯ |
No | |||
| shcluster/member/info | Clusters Get searchhead cluster member node information. |
◯ |
No |
storage/ URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| storage/passwords | Access control Manage authentication credentials |
◯ |
◯ |
No | ||
| storage/passwords/{name} | Access control Manage specific authentication credential |
◯ |
◯ |
◯ |
No |
storage/collections URI | Summary | GET | PUT | POST | DEL | AUTH |
|---|---|---|---|---|---|---|
| storage/collections/config | KV store Create or list connections. |
◯ |
◯ |
◯ |
No | |
| storage/collections/config/{collection} | KV store Manage a specific collection. |
◯ |
◯ |
◯ |
No | |
| storage/collections/data/{collection} | KV store Manage items of a collection. |
◯ |
◯ |
◯ |
◯ |
No |
| storage/collections/data/{collection}/{id} | KV store Manage a specific item of a collection. |
◯ |
◯ |
◯ |
◯ |
No |
| storage/collections/data/{collection}/batch_save | KV store Perform multiple save operations. |
◯ |
No |
Manage user authentication credentials.
https://<host>:<mPort>/services/auth/login
Authentication: Not required
Get a session ID for use in subsequent API calls that require authentication.
| Method | Description | Formats |
|---|---|---|
| POST | Get a session ID for use in subsequent API calls that require authentication. | XML, JSON |
auth/login method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| password required | String | Current username password. | |
| username required | String | Authenticated session owner name. |
| Name | Description |
|---|---|
| sessionKey | Session ID. |
Note: Only a <response> element is returned, instead of the full <atom> feed.
The splunkd server supports token-based authentication using the standard HTTP authorization header. Before you can access Splunk Enterprise resources, you must authenticate with the splunkd server using your username and password.
Failure to authenticate returns the following response:
<response>
<messages>
<msg type="WARN">Login failed</msg>
</messages>
</response>
Obtain a session ID to be used in the authorization header of subsequent REST API calls that require authentication.
[ Top ]
https://<host>:<mPort>/services/authentication/current-context
Authentication: Not required
Get the the authenticated session owner username.
| Method | Description | Formats |
|---|---|---|
| GET | Get the user information for the current context. | XML, JSON |
authentication/current-context method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicates:true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | The role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Restart background search job that has not completed when Splunk Enterprise restarts indication:true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | User authentication system type:
|
| tz | User timezone. |
| username | Authenticated session owner name. |
Use this endpoint in a search command to get the current user:
... rest /services/authentication/current-context/context | fields + username ...
[ Top ]
https://<host>:<mPort>/services/authentication/httpauth-tokens
Authentication: Not required
List currently active session IDs and users.
| Method | Description | Formats |
|---|---|---|
| GET | List currently active session IDs/users. | XML, JSON |
authentication/httpauth-tokens method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| authString | Unique identifier for this session. |
| searchId | Search ID associated with the session, if it was created for a search job. If it is a login-type session, the value is empty. |
| timeAccessed | Last time the session was touched. |
| userName | Username associated with the session. |
The session ID token is valid for the duration of the web session.
Search command example:
| rest /services/authentication/httpauth-tokens | search (NOT userName="splunk-system-user") searchId="" | table userName splunk_server timeAccessed
[ Top ]
https://<host>:<mPort>/services/authentication/httpauth-tokens/<name>
Authentication: Not required
Get or delete the {name} session, where {name} is the session ID returned by auth/login.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the session associated with this session ID. | XML, JSON |
| GET | Get session information. | XML, JSON |
authentication/httpauth-tokens/{name} method detailNone
None
authentication/httpauth-tokens/{name} method detailNone
| Name | Description |
|---|---|
| authString | Unique session identifier. |
| searchId | Session search ID, if it is a search job session. The value is blank for a login-type session. |
| timeAccessed | Last time the session was touched.
|
| userName | Username associated with the session. |
[ Top ]
https://<host>:<mPort>/services/authentication/users
Authentication: Not required
Create a user and list current users.
| Method | Description | Formats |
|---|---|---|
| GET | List registered users. | XML, JSON |
| POST | Create a user. | XML, JSON |
authentication/users method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicates:true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | The role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Restart background search job that has not completed when Splunk Enterprise restarts indication:true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | User authentication system type:
|
| tz | User timezone. |
authentication/users method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| createrole | String | Role to create for user. | |
| defaultApp | String | User default app. This overrides the default app inherited from the user roles. | |
| String | User email address. | ||
| force-change-pass | Boolean | Force user to change password indication:true = Force password change.false = Do not force password change.
| |
| name required | String | Unique user login name. | |
| password required | String | User login password. | |
| realname | String | Full user name. | |
| restart_background_jobs | Boolean | Restart background search job that has not completed when Splunk Enterprise restarts indication:true = Restart job.false = Do not restart job.
| |
| roles required | String | User role. To assign multiple roles to the user, use multiple roles parameters. At least one role is required. | |
| tz | String | User timezone. |
None
When creating a user you must specify at least one role. You can specify one or more roles with the roles parameter, or you can use the createrole parameter to create a role for the user.
Either use roles to specify one or more roles or use createrole to create a role. After creating the role, you can edit the role to indicate the user access level.
[ Top ]
https://<host>:<mPort>/services/authentication/users/<name>
Authentication: Not required
Get, update, or delete the {name} user.
List of available capabilities
| Method | Description | Formats |
|---|---|---|
| DELETE | Remove the specified user from the system. | XML, JSON |
| GET | Return the specified user information. | XML, JSON |
| POST | Update the specified user information. | XML, JSON |
authentication/users/{name} method detailNone
None
authentication/users/{name} method detailNone
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicates:true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | The role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Restart background search job that has not completed when Splunk Enterprise restarts indication:true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | User authentication system type:
|
| tz | User timezone. |
{name} is not case-sensitive.
authentication/users/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| createrole | String | Role to create for user. | |
| defaultApp | String | User default app. This overrides the default app inherited from the user roles. | |
| String | User email address. | ||
| force-change-pass | Boolean | Force user to change password indication:true = Force password change.false = Do not force password change.
| |
| name required | String | Unique user login name. | |
| password required | String | User login password. | |
| realname | String | Full user name. | |
| restart_background_jobs | Boolean | Restart background search job that has not completed when Splunk Enterprise restarts indication:true = Restart job.false = Do not restart job.
| |
| roles required | String | User role. To assign multiple roles to the user, use multiple roles parameters. At least one role is required. | |
| tz | String | User timezone. |
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
| defaultApp | Default app for the user, which is invoked at login. |
| defaultAppIsUserOverride | Default app override indicates:true = Default app overrides the user role default app.false = Default app does not override the user role default app.
|
| defaultAppSourceRole | The role that determines the default app for the user, if the user has multiple roles. |
| User email address. | |
| password | User password. |
| realname | User full name. |
| restart_background_jobs | Restart background search job that has not completed when Splunk Enterprise restarts indication:true = Restart job.false = Do not restart job.
|
| roles | Roles assigned to the user. |
| type | User authentication system type:
|
| tz | User timezone. |
[ Top ]
https://<host>:<mPort>/services/authorization/capabilities
Authentication: Not required
Get a list of all capabilities.
| Method | Description | Formats |
|---|---|---|
| GET | List system capabiilities. | XML, JSON |
authorization/capabilities method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role. |
[ Top ]
https://<host>:<mPort>/services/authorization/roles
Authentication: Not required
Create a role or get a list of defined roles with role permissions.
| Method | Description | Formats |
|---|---|---|
| GET | List all roles and the permissions for each role. | XML, JSON |
| POST | Create a user role. | XML, JSON |
authorization/roles method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role.
The Securing Splunk manual describes List of available capabilities. |
| cumulativeRTSrchJobsQuota | Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached. |
| cumulativeSrchJobsQuota | Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached. |
| defaultApp | The name of the app to use as the default app for this role.
A user-specific default app overrides this. |
| imported_capabilities | List of capabilities assigned to role made available from imported roles. |
| imported_roles | List of imported roles for this role.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. |
| imported_rtSrchJobsQuota | The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
imported_srchDiskQuota specifies the quota for this role that have imported from other roles. |
| imported_srchFilter | Search string, imported from other roles, that restricts the scope of searches run by this role.
Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR. |
| imported_srchIndexesAllowed | A list of indexes, imported from other roles, this role has permissions to search. |
| imported_srchIndexesDefault | A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search. |
| imported_srchJobsQuota | The maximum number of historical searches for this role that are imported from other roles. |
| imported_srchTimeWin | Maximum time span of a search, in seconds.
imported_srchTimeWin specifies the limit from imported roles. |
| rtSrchJobsQuota | The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit. |
| srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. |
| srchFilter | Search string that restricts the scope of searches run by this role.
Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR. |
| srchIndexesAllowed | A list of indexes this role has permissions to search. |
| srchIndexesDefault | List of search indexes that default to this role when no index is specified. |
| srchJobsQuota | The maximum number of concurrent real time search jobs for this role.
This count is independent from the normal search jobs limit. |
| srchTimeWin | Maximum time span of a search, in seconds.
|
authorization/roles method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| capabilities | String | List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.
Roles inherit all capabilities from imported roles. | |
| cumulativeRTSrchJobsQuota | Number | Maximum number of concurrently running real-time searches that all members of this role can have.
Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined. | |
| cumulativeSrchJobsQuota | Number | Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined. | |
| defaultApp | String | Specify the name of the app to use as the default app for the role.A user-specific default app overrides this.
The name you specify is the name of the folder containing the app. | |
| imported_roles | String | Specify a role to import attributes from. Specify many of these separately to import multiple roles. By default a role imports no other roles.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. Default Splunk Enterprise roles are:
You can specify additional roles created. | |
| name required | String | The name of the user role to create. | |
| rtSrchJobsQuota | Number | Specify the maximum number of concurrent real time search jobs for this role.
This count is independent from the normal search jobs limit. | |
| srchDiskQuota | Number | Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. | |
| srchFilter | String | Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.
The search string can include source, host, index, eventtype, sourcetype, search fields, *, OR and, AND. Example: "host=web* OR source=/var/log/*" Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes. | |
| srchIndexesAllowed | String | An index this role has permissions to search. To set several of these, pass this argument several times. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.
Search indexes available by default from Splunk Enterprise include:
You can also specify other search indexes added to the server. | |
| srchIndexesDefault | String | For this role, indexes to search when no index is specified.
These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'. A user with this role can search other indexes using "index= " For example, "index=special_index". Search indexes available by default from Splunk Enterprise include:
| |
| srchJobsQuota | Number | The maximum number of concurrent searches a user with this role is allowed to run. In the event of many roles per user, the maximum of these quotas is applied. | |
| srchTimeWin | Number | Maximum time span of a search, in seconds.
By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does. |
None
[ Top ]
https://<host>:<mPort>/services/authorization/roles/<name>
Authentication: Not required
Create, delete, or get a list properties of the {name} role.
List of available capabilities
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the specified role. | XML, JSON |
| GET | Get the specified role permissions. | XML, JSON |
| POST | Create/update the specified role. | XML, JSON |
authorization/roles/{name} method detailNone
None
authorization/roles/{name} method detailNone
| Name | Description |
|---|---|
| capabilities | List of capabilities assigned to role.
The Securing Splunk manual describes all capabilities. |
| cumulativeRTSrchJobsQuota | Maximum number of concurrently running real-time searches for all role members. Warning message logged when limit is reached. |
| cumulativeSrchJobsQuota | Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached. |
| defaultApp | The name of the app to use as the default app for this role.
A user-specific default app overrides this. |
| imported_capabilities | List of capabilities assigned to role that were made available from imported roles. |
| imported_roles | List of imported roles for this role.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. |
| imported_rtSrchJobsQuota | The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit.
imported_rtSrchJObsQuota specifies the quota imported from other roles. |
| imported_srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total.
imported_srchDiskQuota specifies the quota for this role that have imported from other roles. |
| imported_srchFilter | Search string, imported from other roles, that restricts the scope of searches run by this role.
Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR. |
| imported_srchIndexesAllowed | A list of indexes, imported from other roles, this role has permissions to search. |
| imported_srchIndexesDefault | A list of indexes, imported from other roles, that this role defaults to when no index is specified in a search. |
| imported_srchJobsQuota | The maximum number of historical searches for this role that are imported from other roles. |
| imported_srchTimeWin | Maximum time span of a search, in seconds.
imported_srchTimeWin specifies the limit from imported roles. |
| rtSrchJobsQuota | The maximum number of concurrent real time search jobs for this role. This count is independent from the normal search jobs limit. |
| srchDiskQuota | The maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. |
| srchFilter | Search string that restricts the scope of searches run by this role.
Search results for this role only show events that also match this search string. When a user has multiple roles with different search filters, they are combined with an OR. |
| srchIndexesAllowed | A list of indexes this role has permissions to search. |
| srchIndexesDefault | List of search indexes that default to this role when no index is specified. |
| srchJobsQuota | The maximum number of concurrent real time search jobs for this role.
This count is independent from the normal search jobs limit. |
| srchTimeWin | Maximum time span of a search, in seconds.
|
authorization/roles/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| capabilities | String | List of capabilities assigned to role. To send multiple capabilities, send this argument multiple times.
Roles inherit all capabilities from imported roles. For more information, refer to About defining roles with capabilities. | |
| cumulativeRTSrchJobsQuota | Number | Maximum number of concurrently running real-time searches that all members of this role can have.
Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined. | |
| cumulativeSrchJobsQuota | Number | Maximum number of concurrently running searches for all role members. Warning message logged when limit is reached.
Note: If a user belongs to multiple roles then the user first consumes searches from the roles with the largest cumulative search quota. When the quota of a role is completely used up then roles with lower quotas are examined. | |
| defaultApp | String | Specify the name of the app to use as the default app for the role.A user-specific default app overrides this.
The name you specify is the name of the folder containing the app. | |
| imported_capabilities | String | TBD | |
| imported_roles | String | Specify a role to import attributes from. Specify many of these separately to import multiple roles. By default a role imports no other roles.
Importing other roles imports all aspects of that role, such as capabilities and allowed indexes to search. In combining multiple roles, the effective value for each attribute is value with the broadest permissions. Default Splunk Enterprise roles are:
You can specify additional roles created. | |
| imported_rtSrchJobsQuota | String | TBD | |
| imported_srchDiskQuota | String | TBD | |
| imported_srchFilter | String | TBD | |
| imported_srchIndexesAllowed | String | TBD | |
| imported_srchIndexesDefault | String | TBD | |
| imported_srchJobsQuota | String | TBD | |
| imported_srchTimeWin | String | TBD | |
| rtSrchJobsQuota | Number | Specify the maximum number of concurrent real time search jobs for this role.
This count is independent from the normal search jobs limit. | |
| srchDiskQuota | Number | Specifies the maximum disk space in MB that can be used by a user's search jobs. For example, 100 limits this role to 100 MB total. | |
| srchFilter | String | Specify a search string that restricts the scope of searches run by this role. Search results for this role only show events that also match the search string you specify. In the case that a user has multiple roles with different search filters, they are combined with an OR.
The search string can include source, host, index, eventtype, sourcetype, search fields, *, OR and, AND. Example: "host=web* OR source=/var/log/*" Note: You can also use the srchIndexesAllowed and srchIndexesDefault parameters to limit the search on indexes. | |
| srchIndexesAllowed | String | An index this role has permissions to search. To set several of these, pass this argument several times. These may be wildcarded, but the index name must begin with an underscore to match internal indexes.
Search indexes available by default from Splunk Enterprise include:
You can also specify other search indexes added to the server. | |
| srchIndexesDefault | String | For this role, indexes to search when no index is specified.
These indexes can be wildcarded, with the exception that '*' does not match internal indexes. To match internal indexes, start with '_'. All internal indexes are represented by '_*'. A user with this role can search other indexes using "index= " For example, "index=special_index". Search indexes available by default from Splunk Enterprise include:
| |
| srchJobsQuota | Number | The maximum number of concurrent searches a user with this role is allowed to run. In the event of many roles per user, the maximum of these quotas is applied. | |
| srchTimeWin | Number | Maximum time span of a search, in seconds.
By default, searches are not limited to any specific time window. To override any search time windows from imported roles, set srchTimeWin to '0', as the 'admin' role does. |
None
[ Top ]
https://<host>:<mPort>/services/storage/passwords
Authentication: Not required
Create or update user credentials, or list credentials for all users.
| Method | Description | Formats |
|---|---|---|
| GET | List available credentials. | XML, JSON |
| POST | Create/update new credentials. | XML, JSON |
storage/passwords method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
Only admin-level users can access this endpoint.
The password is encrypted with a secure key resident on the same server.
storage/passwords method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| name required | String | Credentials user name. | |
| password required | String | Credentials user password. | |
| realm | String | Credentials realm. |
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
The password credential is the only part of the user credentials that is stored securely.
[ Top ]
https://<host>:<mPort>/services/storage/passwords/<name>
Authentication: Not required
Update, delete, or list credentials for the {name} user.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the specified user credentials. | XML, JSON |
| GET | Get the specified user credentials. | XML, JSON |
| POST | Update the specified user credentials. | XML, JSON |
storage/passwords/{name} method detailNone
None
The {name} part of the URL must be bounded by the colon ( : ) symbol.
Example:
/services/storage/passwords/:uname:
storage/passwords/{name} method detailNone
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
storage/passwords/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| password | String | User password credential. |
| Name | Description |
|---|---|
| clear_password | Clear text password. |
| encr_password | Encrypted, stored password. |
| password | Password mask, always ********.
|
| realm | Realm in which credentials are valid. |
| username | User name associated with credentials. |
The password credential is the only part of the user credentials that is stored securely.
[ Top ]
curl -k -u admin:changeme https://localhost:8089/services/auth/login -d <span style="color: #19177C">username</span><span style="color: #666666">=</span>admin -d <span style="color: #19177C">password</span><span style="color: #666666">=</span>changeme
<response>
<sessionKey>192fd3e46a31246da7ea7f109e7f95fd</sessionKey>
</response>
curl -k -u admin:changeme https://localhost:8089/services/authentication/current-context
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>current-context</title>
<id>https://localhost:8089/services/authentication/current-context</id>
<updated>2014-06-30T11:26:19-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>context</title>
<id>https://localhost:8089/services/authentication/current-context/context</id>
<updated>2014-06-30T11:26:19-07:00</updated>
<link href="/services/authentication/current-context/context" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/current-context/context" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">changeme@example.com</s:key>
<s:key name="password">********</s:key>
<s:key name="realname">Administrator</s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
<s:key name="username">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>httpauth-tokens</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens</id>
<updated>2014-06-30T11:28:04-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>15a773187d3e4437cbe9809f41f23d8f</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
<updated>2014-06-30T11:28:04-07:00</updated>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:28:04 2014</s:key>
<s:key name="userName">admin</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>694ef5bda40ae8c4f59626671b5f0c9a</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
<updated>2014-06-30T11:28:04-07:00</updated>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:26:09 2014</s:key>
<s:key name="userName">splunk-system-user</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>httpauth-tokens</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens</id>
<updated>2014-06-30T12:02:12-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>694ef5bda40ae8c4f59626671b5f0c9a</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a</id>
<updated>2014-06-30T12:02:12-07:00</updated>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="list"/>
<link href="/services/authentication/httpauth-tokens/694ef5bda40ae8c4f59626671b5f0c9a" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">1RU5vGFm2OPq29plLtvqlEB9xzPDLZ3AleUhE1bwPjIrKtvyLE4fODhs^TgI4_NamvVtqusj8GnnNxd5wBB1wT^qHXn1DOV7LcCvErpyTzOvISr^2TnKUC</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:42:31 2014</s:key>
<s:key name="userName">splunk-system-user</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authentication/httpauth-tokens/vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>httpauth-tokens</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens</id>
<updated>2014-06-30T11:39:52-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>15a773187d3e4437cbe9809f41f23d8f</title>
<id>https://localhost:8089/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f</id>
<updated>2014-06-30T11:39:52-07:00</updated>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="list"/>
<link href="/services/authentication/httpauth-tokens/15a773187d3e4437cbe9809f41f23d8f" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="authString">vdZv2eB9F0842dyJhrIEiGNTcBMpBeGuwGPYxtGLKAESQkzjSjG7dbymQW58y^oI3kxYXWfK_Fd3cRGqwPQGp58RvEkzwCaC6PmQgCsK</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="searchId"></s:key>
<s:key name="timeAccessed">Mon Jun 30 11:39:52 2014</s:key>
<s:key name="userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authentication/users
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:27:48-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authentication/users/admin</id>
<updated>2014-06-30T12:27:48-07:00</updated>
<link href="/services/authentication/users/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/admin" rel="list"/>
<link href="/services/authentication/users/admin" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">changeme@example.com</s:key>
<s:key name="password">********</s:key>
<s:key name="realname">Administrator</s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:27:48-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">0</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authentication/users -d name=User1 -d password=changeme -d roles=admin
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:18:19-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:18:19-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">0</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authentication/users/user1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:51:09-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authentication/users/admin</id>
<updated>2014-06-30T12:51:09-07:00</updated>
<link href="/services/authentication/users/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/admin" rel="list"/>
<link href="/services/authentication/users/admin" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email">changeme@example.com</s:key>
<s:key name="password">********</s:key>
<s:key name="realname">Administrator</s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:39:18-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:39:18-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">0</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>defaultApp</s:item>
<s:item>email</s:item>
<s:item>force-change-pass</s:item>
<s:item>password</s:item>
<s:item>realname</s:item>
<s:item>restart_background_jobs</s:item>
<s:item>roles</s:item>
<s:item>tz</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authentication/users/user1 -d defaultApp=launcher
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>users</title>
<id>https://localhost:8089/services/authentication/users</id>
<updated>2014-06-30T12:45:23-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authentication/users/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>user1</title>
<id>https://localhost:8089/services/authentication/users/user1</id>
<updated>2014-06-30T12:45:23-07:00</updated>
<link href="/services/authentication/users/user1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authentication/users/user1" rel="list"/>
<link href="/services/authentication/users/user1" rel="edit"/>
<link href="/services/authentication/users/user1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="defaultAppIsUserOverride">1</s:key>
<s:key name="defaultAppSourceRole">system</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="email"></s:key>
<s:key name="password">********</s:key>
<s:key name="realname"></s:key>
<s:key name="restart_background_jobs">1</s:key>
<s:key name="roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="type">Splunk</s:key>
<s:key name="tz"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authorization/capabilities
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>capabilities</title>
<id>https://localhost:8089/services/authorization/capabilities</id>
<updated>2014-06-30T12:56:35-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>capabilities</title>
<id>https://localhost:8089/services/authorization/capabilities/capabilities</id>
<updated>2014-06-30T12:56:35-07:00</updated>
<link href="/services/authorization/capabilities/capabilities" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/capabilities/capabilities" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>delete_by_keyword</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>use_file_operator</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>5</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authorization/roles/admin</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/admin" rel="list"/>
<link href="/services/authorization/roles/admin" rel="edit"/>
<link href="/services/authorization/roles/admin" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>get_diag</s:item>
<s:item>indexes_edit</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>rest_apps_management</s:item>
<s:item>restart_splunkd</s:item>
<s:item>run_debug_commands</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">400</s:key>
<s:key name="cumulativeSrchJobsQuota">200</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>embed_report</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>rtsearch</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>power</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">20</s:key>
<s:key name="imported_srchDiskQuota">500</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">10</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">100</s:key>
<s:key name="srchDiskQuota">10000</s:key>
<s:key name="srchFilter">*</s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
<s:item>_*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
<s:item>os</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">50</s:key>
<s:key name="srchTimeWin">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>can_delete</title>
<id>https://localhost:8089/services/authorization/roles/can_delete</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/can_delete" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/can_delete" rel="list"/>
<link href="/services/authorization/roles/can_delete" rel="edit"/>
<link href="/services/authorization/roles/can_delete" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>delete_by_keyword</s:item>
<s:item>schedule_rtsearch</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>power</title>
<id>https://localhost:8089/services/authorization/roles/power</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/power" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/power" rel="list"/>
<link href="/services/authorization/roles/power" rel="edit"/>
<link href="/services/authorization/roles/power" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>embed_report</s:item>
<s:item>rtsearch</s:item>
<s:item>schedule_search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">200</s:key>
<s:key name="cumulativeSrchJobsQuota">100</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">20</s:key>
<s:key name="srchDiskQuota">500</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">10</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>splunk-system-role</title>
<id>https://localhost:8089/services/authorization/roles/splunk-system-role</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/splunk-system-role" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/splunk-system-role" rel="list"/>
<link href="/services/authorization/roles/splunk-system-role" rel="edit"/>
<link href="/services/authorization/roles/splunk-system-role" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">100</s:key>
<s:key name="cumulativeSrchJobsQuota">50</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">100</s:key>
<s:key name="imported_srchDiskQuota">10000</s:key>
<s:key name="imported_srchFilter">*</s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
<s:item>_*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
<s:item>os</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">50</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>user</title>
<id>https://localhost:8089/services/authorization/roles/user</id>
<updated>2014-06-30T13:12:17-07:00</updated>
<link href="/services/authorization/roles/user" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/user" rel="list"/>
<link href="/services/authorization/roles/user" rel="edit"/>
<link href="/services/authorization/roles/user" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">100</s:key>
<s:key name="cumulativeSrchJobsQuota">50</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles -d name=newrole1 -d imported_roles=user
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:21:50-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>newrole1</title>
<id>https://localhost:8089/services/authorization/roles/newrole1</id>
<updated>2014-06-30T13:21:50-07:00</updated>
<link href="/services/authorization/roles/newrole1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/newrole1" rel="list"/>
<link href="/services/authorization/roles/newrole1" rel="edit"/>
<link href="/services/authorization/roles/newrole1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/authorization/roles/newrole1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:39:39-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>5</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin</title>
<id>https://localhost:8089/services/authorization/roles/admin</id>
<updated>2014-06-30T13:39:39-07:00</updated>
<link href="/services/authorization/roles/admin" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/admin" rel="list"/>
<link href="/services/authorization/roles/admin" rel="edit"/>
<link href="/services/authorization/roles/admin" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>get_diag</s:item>
<s:item>indexes_edit</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>rest_apps_management</s:item>
<s:item>restart_splunkd</s:item>
<s:item>run_debug_commands</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">400</s:key>
<s:key name="cumulativeSrchJobsQuota">200</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>embed_report</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>rtsearch</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>power</s:item>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">20</s:key>
<s:key name="imported_srchDiskQuota">500</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">10</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">100</s:key>
<s:key name="srchDiskQuota">10000</s:key>
<s:key name="srchFilter">*</s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
<s:item>_*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
<s:item>os</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">50</s:key>
<s:key name="srchTimeWin">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>can_delete</title>
<id>https://localhost:8089/services/authorization/roles/can_delete</id>
<updated>2014-06-30T13:39:39-07:00</updated>
<link href="/services/authorization/roles/can_delete" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/can_delete" rel="list"/>
<link href="/services/authorization/roles/can_delete" rel="edit"/>
<link href="/services/authorization/roles/can_delete" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>delete_by_keyword</s:item>
<s:item>schedule_rtsearch</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>power</title>
<id>https://localhost:8089/services/authorization/roles/power</id>
<updated>2014-06-30T13:39:39-07:00</updated>
<link href="/services/authorization/roles/power" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/power" rel="list"/>
<link href="/services/authorization/roles/power" rel="edit"/>
<link href="/services/authorization/roles/power" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>embed_report</s:item>
<s:item>rtsearch</s:item>
<s:item>schedule_search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">200</s:key>
<s:key name="cumulativeSrchJobsQuota">100</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">20</s:key>
<s:key name="srchDiskQuota">500</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">10</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>splunk-system-role</title>
<id>https://localhost:8089/services/authorization/roles/splunk-system-role</id>
<updated>2014-06-30T13:39:39-07:00</updated>
<link href="/services/authorization/roles/splunk-system-role" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/splunk-system-role" rel="list"/>
<link href="/services/authorization/roles/splunk-system-role" rel="edit"/>
<link href="/services/authorization/roles/splunk-system-role" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">100</s:key>
<s:key name="cumulativeSrchJobsQuota">50</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_datamodel</s:item>
<s:item>accelerate_search</s:item>
<s:item>admin_all_objects</s:item>
<s:item>change_authentication</s:item>
<s:item>change_own_password</s:item>
<s:item>edit_deployment_client</s:item>
<s:item>edit_deployment_server</s:item>
<s:item>edit_dist_peer</s:item>
<s:item>edit_forwarders</s:item>
<s:item>edit_httpauths</s:item>
<s:item>edit_input_defaults</s:item>
<s:item>edit_monitor</s:item>
<s:item>edit_roles</s:item>
<s:item>edit_scripted</s:item>
<s:item>edit_search_server</s:item>
<s:item>edit_server</s:item>
<s:item>edit_splunktcp</s:item>
<s:item>edit_splunktcp_ssl</s:item>
<s:item>edit_tcp</s:item>
<s:item>edit_udp</s:item>
<s:item>edit_user</s:item>
<s:item>edit_view_html</s:item>
<s:item>edit_web_settings</s:item>
<s:item>edit_win_admon</s:item>
<s:item>edit_win_eventlogs</s:item>
<s:item>edit_win_perfmon</s:item>
<s:item>edit_win_regmon</s:item>
<s:item>edit_win_wmiconf</s:item>
<s:item>embed_report</s:item>
<s:item>get_diag</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>indexes_edit</s:item>
<s:item>input_file</s:item>
<s:item>license_edit</s:item>
<s:item>license_tab</s:item>
<s:item>list_deployment_client</s:item>
<s:item>list_deployment_server</s:item>
<s:item>list_forwarders</s:item>
<s:item>list_httpauths</s:item>
<s:item>list_inputs</s:item>
<s:item>list_pdfserver</s:item>
<s:item>list_win_localavailablelogs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_management</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>restart_splunkd</s:item>
<s:item>rtsearch</s:item>
<s:item>run_debug_commands</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>schedule_search</s:item>
<s:item>search</s:item>
<s:item>write_pdfserver</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">100</s:key>
<s:key name="imported_srchDiskQuota">10000</s:key>
<s:key name="imported_srchFilter">*</s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
<s:item>_*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
<s:item>os</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">50</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>user</title>
<id>https://localhost:8089/services/authorization/roles/user</id>
<updated>2014-06-30T13:39:39-07:00</updated>
<link href="/services/authorization/roles/user" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/user" rel="list"/>
<link href="/services/authorization/roles/user" rel="edit"/>
<link href="/services/authorization/roles/user" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">100</s:key>
<s:key name="cumulativeSrchJobsQuota">50</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list/>
</s:key>
<s:key name="imported_roles">
<s:list/>
</s:key>
<s:key name="imported_rtSrchJobsQuota">0</s:key>
<s:key name="imported_srchDiskQuota">0</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="imported_srchJobsQuota">0</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:30:34-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>newrole1</title>
<id>https://localhost:8089/services/authorization/roles/newrole1</id>
<updated>2014-06-30T13:30:34-07:00</updated>
<link href="/services/authorization/roles/newrole1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/newrole1" rel="list"/>
<link href="/services/authorization/roles/newrole1" rel="edit"/>
<link href="/services/authorization/roles/newrole1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp"></s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>capabilities</s:item>
<s:item>cumulativeRTSrchJobsQuota</s:item>
<s:item>cumulativeSrchJobsQuota</s:item>
<s:item>defaultApp</s:item>
<s:item>imported_roles</s:item>
<s:item>rtSrchJobsQuota</s:item>
<s:item>srchDiskQuota</s:item>
<s:item>srchFilter</s:item>
<s:item>srchIndexesAllowed</s:item>
<s:item>srchIndexesDefault</s:item>
<s:item>srchJobsQuota</s:item>
<s:item>srchTimeWin</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/authorization/roles/newrole1 -d defaultApp=launcher
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>roles</title>
<id>https://localhost:8089/services/authorization/roles</id>
<updated>2014-06-30T13:33:38-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/authorization/roles/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>newrole1</title>
<id>https://localhost:8089/services/authorization/roles/newrole1</id>
<updated>2014-06-30T13:33:38-07:00</updated>
<link href="/services/authorization/roles/newrole1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/authorization/roles/newrole1" rel="list"/>
<link href="/services/authorization/roles/newrole1" rel="edit"/>
<link href="/services/authorization/roles/newrole1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="capabilities">
<s:list/>
</s:key>
<s:key name="cumulativeRTSrchJobsQuota">0</s:key>
<s:key name="cumulativeSrchJobsQuota">0</s:key>
<s:key name="defaultApp">launcher</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="imported_capabilities">
<s:list>
<s:item>accelerate_search</s:item>
<s:item>change_own_password</s:item>
<s:item>get_metadata</s:item>
<s:item>get_typeahead</s:item>
<s:item>input_file</s:item>
<s:item>list_inputs</s:item>
<s:item>output_file</s:item>
<s:item>request_remote_tok</s:item>
<s:item>rest_apps_view</s:item>
<s:item>rest_properties_get</s:item>
<s:item>rest_properties_set</s:item>
<s:item>schedule_rtsearch</s:item>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="imported_roles">
<s:list>
<s:item>user</s:item>
</s:list>
</s:key>
<s:key name="imported_rtSrchJobsQuota">6</s:key>
<s:key name="imported_srchDiskQuota">100</s:key>
<s:key name="imported_srchFilter"></s:key>
<s:key name="imported_srchIndexesAllowed">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="imported_srchIndexesDefault">
<s:list>
<s:item>main</s:item>
</s:list>
</s:key>
<s:key name="imported_srchJobsQuota">3</s:key>
<s:key name="imported_srchTimeWin">-1</s:key>
<s:key name="rtSrchJobsQuota">6</s:key>
<s:key name="srchDiskQuota">100</s:key>
<s:key name="srchFilter"></s:key>
<s:key name="srchIndexesAllowed">
<s:list/>
</s:key>
<s:key name="srchIndexesDefault">
<s:list/>
</s:key>
<s:key name="srchJobsQuota">3</s:key>
<s:key name="srchTimeWin">-1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/storage/passwords
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T13:43:06-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:testuser:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A</id>
<updated>2014-06-30T13:43:06-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Atestuser%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">newpwd</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$prTUy3vRWg==</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">testuser</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T13:51:44-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:user1:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
<updated>2014-06-30T13:51:44-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">changeme2</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">user1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/servicesNS/nobody/search/storage/passwords/:user1:
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T14:21:11-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/user1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T14:06:04-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:user1:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
<updated>2014-06-30T14:06:04-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">changeme2</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>password</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$q7nC1WvQY/pGcQ==</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">user1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords/splunker -d password=changemeAgain
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>passwords</title>
<id>https://localhost:8089/services/storage/passwords</id>
<updated>2014-06-30T14:13:57-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/storage/passwords/_new" rel="create"/>
<link href="/services/storage/passwords/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>:user1:</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/passwords/%3Auser1%3A</id>
<updated>2014-06-30T14:13:57-07:00</updated>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="list"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/passwords/%3Auser1%3A" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="clear_password">changemeAgain</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="encr_password">$1$q7nC1WvQY/p0UtMdIVM=</s:key>
<s:key name="password">********</s:key>
<s:key name="realm"></s:key>
<s:key name="username">user1</s:key>
</s:dict>
</content>
</entry>
</feed>
Manage applications.
https://<host>:<port>/services/apps/appinstall
Authentication: Not required
Install application.
| Method | Description | Formats |
|---|---|---|
| POST | Install or update an application from a local file or URL. | XML, JSON |
apps/appinstall method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | Full Unix or Windows path of the .tgz or .spl app source file. The path can be on the local disk or a URL. | |
| update | Boolean | Update existing app indication:true = update existing app, overwriting the existing app folder.false = [Default] install new app.
|
| Name | Description |
|---|---|
| location | Installed location ($SPLUNK_HOME/etc/apps/<appname>). |
| name | App name. |
| source_location | App source file location, the path name request parameter. |
| status | Install status:installed = Successfully installed.
|
Expect some response delay while app is installed.
[ Top ]
https://<host>:<port>/services/apps/apptemplates
Authentication: Not required
List installed app templates.
| Method | Description | Formats |
|---|---|---|
| GET | List installed app templates. | XML, JSON |
apps/apptemplates method detailPagination and filtering parameters can be used with this method.
None
Each <entry> element includes a <link> reference to an app template. The barebones and sample_app templates are installed by default.
Use the app template as the /services/apps/local endpoint template POST parameter.
[ Top ]
https://<host>:<port>/services/apps/apptemplates/{name}
Authentication: Not required
Get the {name} app template descriptor.
| Method | Description | Formats |
|---|---|---|
| GET | Get the {name} app template descriptor. | XML, JSON |
apps/apptemplates/{name} method detailPagination and filtering parameters can be used with this method.
None
[ Top ]
https://<host>:<port>/services/apps/local
Authentication: Not required
Create an app or list installed apps and properties.
| Method | Description | Formats |
|---|---|---|
| GET | List installed apps and properties. | XML, JSON |
| POST | Create an app. | XML, JSON |
apps/local method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| author | App author with optional contact info. For apps deployed on Splunkbase, the Splunkbase account username. |
| check_for_updates | Check for updates indication: true = Check Splunkbase for app updates. false = Do not check Splunkbase for app updates. |
| configured | Custom setup complete indication: true = Custom app setup complete. false = Custom app setup not complete. |
| description | Short app description also displayed below the app title in Splunk Web and Launcher. |
| details | Splunk Enterprise Apps URL for detailed information about the app. |
| disabled | App state indication: true = App is disabled. false = App is enabled. |
| label | App name also displayed in Splunk Web and Launcher. |
| state_change_requires_restart | Restart required on state change indication: true = App state change requires restart. false = App state change might not require restart, depending on other restart requirements. |
| version | App version. |
| visible | App is visible and navigable from Splunk Web indication: true = App is visible and navigable. false = App is not visible and navigable. |
Splunkbase can correlate locally-installed apps with the same app on Splunkbase for update notifications.
apps/local method detail| Name | Type | Default | Description |
|---|---|---|---|
| auth | String | Splunkbase session token for operations like install and update that require login. Use auth or session when installing or updating an app through Splunkbase. | |
| author | String | For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information. | |
| configured | Boolean | Custom setup complete indication: true = Custom app setup complete. false = Custom app setup not complete. | |
| description | String | Short app description also displayed below the app title in Splunk Web Launcher. | |
| explicit_appname | String | Custom app name. When installing an app from a file, where filename is true, overrides name. | |
| filename | Boolean | App source location: true = name is a path to a file to install. false = name is the literal app name and the app is created from Splunkbase using a template. | |
| label | String | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". | |
| name required | String | Literal app name or path to the file to install, depending on the value of filename: filename = false: literal app name and the app is created from Splunkbase using a template. filename = true: URL or path to local .tar, .tgz or .spl file. If name is the Splunkbase URL, set auth or session to authenticate the request. | |
| session | String | Login session token for installing or updating an app on Splunkbase. Alternatively, use auth. | |
| template | Enum | App template to use when creating the app" barebones - [Default] Basic app framework. sample_app - Example views and searches. Any custom app template. | |
| update | Boolean | File-based update indication: true = Can use filename to update an existing app. false = [Default] Cannot use filename to update an existing app. | |
| version | String | App version. | |
| visible | Boolean | App is visible and navigable from Splunk Web indication: true = App is visible and navigable. false = App is not visible and navigable. |
| Name | Description |
|---|---|
| author | For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information. |
| check_for_updates | Check for updates indication: true = Check Splunkbase for app updates. false = Do not check Splunkbase for app updates. |
| configured | Custom setup complete indication: true = Custom app setup complete. false = Custom app setup not complete. |
| description | Short app description also displayed below the app title in Splunk Web Launcher. |
| disabled | App state indication: true = App is disabled. false = App is enabled. |
| label | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". |
| name | Installed app name, which might differ from the POST name parameter. |
| state_change_requires_restart | Restart required on state change indication: true = App state change requires restart. false = App state change might not require restart, depending on other restart requirements. |
| version | App version. |
| visible | App is visible and navigable from Splunk Web indication: true = App is visible and navigable. false = App is not visible and navigable. |
[ Top ]
https://<host>:<port>/services/apps/local/{name}
Authentication: Not required
Manage {name} app.
"Uninstall an app"
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the {name} app. | XML, JSON |
| GET | List information about the {name} app. | XML, JSON |
| POST | Update the {name} app properties. | XML, JSON |
apps/local/{name} method detailNone
None
A message is displayed that might indicate a restart is required.
apps/local/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| refresh | Boolean | Reload any objects associated with the {name} app indication: true = Reload objects. false = Do not reload objects. |
| Name | Description |
|---|---|
| author | For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information. |
| check_for_updates | Check for updates indication: true = Check Splunkbase for app updates. false = Do not check Splunkbase for app updates. |
| configured | Custom setup complete indication: true = Custom app setup complete. false = Custom app setup not complete. |
| description | Short app description also displayed below the app title in Splunk Web Launcher. |
| disabled | App state indication: true = App is disabled. false = App is enabled. |
| label | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". |
| state_change_requires_restart | Restart required on state change indication: true = App state change requires restart. false = App state change might not require restart, depending on other restart requirements. |
| version | App version. |
| visible | App is visible and navigable from Splunk Web indication: true = App is visible and navigable. false = App is not visible and navigable. |
apps/local/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| author | String | For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information. | |
| check_for_updates | Boolean | Check for updates indication: true = Check Splunkbase for app updates. false = Do not check Splunkbase for app updates. | |
| configured | Boolean | Custom setup complete indication: true = Custom app setup complete. false = Custom app setup not complete. | |
| description | String | Short app description also displayed below the app title in Splunk Web Launcher. | |
| label | String | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". | |
| version | String | App version. | |
| visible | Boolean | App is visible and navigable from Splunk Web indication: true = App is visible and navigable. false = App is not visible and navigable. |
| Name | Description |
|---|---|
| author | For apps posted to Splunkbase, your Splunk Enterprise account username. For internal apps, your full name and contact information. |
| check_for_updates | Check for updates indication: true = Check Splunkbase for app updates. false = Do not check Splunkbase for app updates. |
| configured | Custom setup complete indication: true = Custom app setup complete. false = Custom app setup not complete. |
| description | Short app description also displayed below the app title in Splunk Web Launcher. |
| disabled | App state indication: true = App is disabled. false = App is enabled. |
| label | App name displayed in Splunk Web, from five to 80 characters and excluding the prefix "Splunk For". |
| state_change_requires_restart | Restart required on state change indication: true = App state change requires restart. false = App state change might not require restart, depending on other restart requirements. |
| version | App version. |
| visible | App is visible and navigable from Splunk Web indication: true = App is visible and navigable. false = App is not visible and navigable. |
[ Top ]
https://<host>:<port>/services/apps/local/{name}/package
Authentication: Required
Archive the {name} app as a .spl file in the $SPLUNK_HOME/etc/system/static/app-packages directory.
| Method | Description | Formats |
|---|---|---|
| GET | Archive the {name}.spl app. | XML, JSON |
apps/local/{name}/package method detailNone
| Name | Description |
|---|---|
| name | App name and name of the folder containing the app. |
| path | Local path to an archive of the app. |
| url | App download URL. |
Download the archived app using the following URL:
https://host:<port>/static/app-packages/{name}.spl
[ Top ]
https://<host>:<port>/services/apps/local/{name}/setup
Authentication: Not required
Get the {name} app setup information.
Configure a setup screen
| Method | Description | Formats |
|---|---|---|
| GET | Get setup information for the {name} app. | XML, JSON |
apps/local/{name}/setup method detailNone
| Name | Description |
|---|---|
| <script location> | TBD |
| eai:setup | CDATA setup script location. |
Some apps contain setup scripts that must be run before the app is enabled. For those apps, the setup.xml file must exist in the $SPLUNK_BASE\etc\apps\<appname>\default directory.
[ Top ]
https://<host>:<port>/services/apps/local/{name}/update
Authentication: Not required
Get update information for the {name} app.
| Method | Description | Formats |
|---|---|---|
| GET | Get {name} app eai:acl information. | XML, JSON |
apps/local/{name}/update method detailNone
The eai:acl key of the {name} app.
[ Top ]
curl -k -u admin:changeme https://localhost:8089/services/apps/appinstall/ -d name=c:/tmp/splunk-dashboard-examples_50.tgz
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/apps/appinstall</id>
<updated>2014-07-01T09:44:41-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/appinstall/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>dashboard_examples</title>
<id>https://localhost:8089/services/apps/appinstall/dashboard_examples</id>
<updated>2014-07-01T09:44:41-07:00</updated>
<link href="/services/apps/appinstall/dashboard_examples" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/appinstall/dashboard_examples" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="location">C:\Program Files\Splunk\etc\apps\dashboard_examples</s:key>
<s:key name="name">dashboard_examples</s:key>
<s:key name="source_location">c:/tmp/splunk-dashboard-examples_50.tgz</s:key>
<s:key name="status">installed</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/apps/apptemplates</id>
<updated>2014-07-01T09:50:36-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>barebones</title>
<id>https://localhost:8089/services/apps/apptemplates/barebones</id>
<updated>2014-07-01T09:50:36-07:00</updated>
<link href="/services/apps/apptemplates/barebones" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/apptemplates/barebones" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="lol">wut</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>sample_app</title>
<id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
<updated>2014-07-01T09:50:36-07:00</updated>
<link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/apptemplates/sample_app" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="lol">wut</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/apptemplates/sample_app
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/apps/apptemplates</id>
<updated>2014-07-01T09:54:23-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>sample_app</title>
<id>https://localhost:8089/services/apps/apptemplates/sample_app</id>
<updated>2014-07-01T09:54:23-07:00</updated>
<link href="/services/apps/apptemplates/sample_app" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/apptemplates/sample_app" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="lol">wut</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>13</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>cupcake_demo</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/cupcake_demo</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/cupcake_demo/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk PM</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="description">This app provides a walk-through of the key features for Cupcake.</s:key>
<s:key name="details">https://splunkbase.splunk.com/apps/id/cupcake_demo</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Cupcake Release</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>dashboard_examples</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk, Inc.</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key>
<s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Splunk Dashboard Examples</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">5.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>framework</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/framework</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/framework/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/framework" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/framework/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/framework/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">framework</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>gettingstarted</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/gettingstarted</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/gettingstarted/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="description">Get started with Splunk. This app introduces you to many of Splunk's features. You'll learn how to use Splunk to index data, search and investigate, add knowledge, monitor and alert, report and analyze.</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Getting started</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>introspection_generator_addon</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/introspection_generator_addon</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/introspection_generator_addon/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="description">Affords and supports the Platform Instrumentation initiative.</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">introspection_generator_addon</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">6.1</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>launcher</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/launcher</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/launcher" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/launcher" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/launcher/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/launcher" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/launcher/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Home</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>learned</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/learned</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/learned" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/learned" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/learned/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/learned" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/learned" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/learned/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/learned/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">learned</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>legacy</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/legacy</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/legacy" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/legacy" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/legacy/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/legacy" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/legacy" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/legacy/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/legacy/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">legacy</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>sample_app</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/sample_app</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/sample_app" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/sample_app" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/sample_app/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/sample_app" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/sample_app" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/sample_app/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/sample_app/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">sample data</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>search</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/search</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/search" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/search" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/search/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/search" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/search/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="description"><![CDATA[The Search app is Splunk's default interface for searching and analyzing IT data. It allows you to index data into Splunk, add knowledge, build reports, and create alerts. The Search app can be used across many areas of IT including application management, operations management, security, and compliance.]]></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Search & Reporting</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">6.1</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>splunk_datapreview</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/splunk_datapreview</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/splunk_datapreview" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/splunk_datapreview" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/splunk_datapreview/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/splunk_datapreview" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/splunk_datapreview/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk, Inc.</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">1</s:key>
<s:key name="description">Provides interactive timestamping and event breaking facilities for data inputs.</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">Splunk Data Preview</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">0.1</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>SplunkForwarder</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/SplunkForwarder</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkForwarder/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">SplunkForwarder</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>SplunkLightForwarder</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/SplunkLightForwarder</id>
<updated>2014-07-01T09:58:57-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder/enable" rel="enable"/>
<link href="/servicesNS/nobody/system/apps/local/SplunkLightForwarder/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="disabled">1</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">SplunkLightForwarder</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="visible">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local -d name=restDemo
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:09:37-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>restDemo</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
<updated>2014-07-01T10:09:37-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author"></s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">restDemo</s:key>
<s:key name="name">restDemo</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/apps/local/sample_app
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-15T10:24:35-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages>
<s:msg type="INFO">Restart required by: indexes</s:msg>
</s:messages>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local/dashboard_examples
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:23:46-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>dashboard_examples</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/dashboard_examples</id>
<updated>2014-07-01T10:23:46-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/disable" rel="disable"/>
<link href="/servicesNS/nobody/system/apps/local/dashboard_examples/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author">Splunk, Inc.</s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"><![CDATA[Example dashboards, forms, and views for Splunk 5+. This is the succesor app to UI Examples 4.1+. Splunk Dashboard Examples contains over 50 examples updated for Splunk 5. Each example contains inline documenation to help get you started building Splunk dashboards.]]></s:key>
<s:key name="details">https://splunkbase.splunk.com/apps/id/dashboard_examples</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>author</s:item>
<s:item>check_for_updates</s:item>
<s:item>configured</s:item>
<s:item>description</s:item>
<s:item>label</s:item>
<s:item>version</s:item>
<s:item>visible</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="label">Splunk Dashboard Examples</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">5.0</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo -d version=1.1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:28:35-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>restDemo</title>
<id>https://localhost:8089/servicesNS/nobody/system/apps/local/restDemo</id>
<updated>2014-07-01T10:28:35-07:00</updated>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="list"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="edit"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo" rel="remove"/>
<link href="/servicesNS/nobody/system/apps/local/restDemo/package" rel="package"/>
<content type="text/xml">
<s:dict>
<s:key name="author"></s:key>
<s:key name="check_for_updates">1</s:key>
<s:key name="configured">0</s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="label">restDemo</s:key>
<s:key name="state_change_requires_restart">0</s:key>
<s:key name="version">1.1</s:key>
<s:key name="visible">1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local/restDemo/package
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-01T10:46:43-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>Package</title>
<id>https://localhost:8089/services/apps/local/Package</id>
<updated>2014-07-01T10:46:43-07:00</updated>
<link href="/services/apps/local/Package" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/local/Package/setup" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="name">restDemo</s:key>
<s:key name="path">C:\Program Files\Splunk\etc\system\static\app-packages\restDemo.spl</s:key>
<s:key name="url">https://ghartsell-t420s:8089/static/app-packages/restDemo.spl</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local/unix/setup
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2011-07-13T11:24:35-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>unix</title>
<id>https://localhost:8089/servicesNS/nobody/unix/apps/local/unix</id>
<updated>2011-07-13T11:24:35-07:00</updated>
<link href="/servicesNS/nobody/unix/apps/local/unix" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/unix/apps/local/unix/setup" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="/admin/script/.%252Fbin%252Fcpu.sh/enabled">1</s:key>
<s:key name="/admin/script/.%252Fbin%252Fcpu.sh/interval">30</s:key>
<s:key name="/admin/script/.%252Fbin%252Fdf.sh/enabled">1</s:key>
<s:key name="/admin/script/.%252Fbin%252Fdf.sh/interval">300</s:key>
... elided ...
<s:key name="/admin/script/.%252Fbin%252Fwho.sh/enabled">1</s:key>
<s:key name="/admin/script/.%252Fbin%252Fwho.sh/interval">150</s:key>
... eai:acl element elided ...
... eai:attributes element elided ...
<s:key name="eai:setup">
<![CDATA[<?xml version="1.0" encoding="UTF-8"?> <SetupInfo> <block title="Welcome to the Splunk for nix App"> <text>The Splunk for nix app provides some sample searches and reports to boot-strap your use of Splunk for Unix host management. To work, it needs certain inputs enabled. These system metrics drive the sample dashboards. Please review and confirm the inputs below before proceeding.</text> </block> <block title="CPU Stats (sar / mpstat / etc.)" endpoint="admin/script" entity=".%252Fbin%252Fcpu.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Fcpu.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Fcpu.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block>
. . .
<block title="Time Query (date, ntpdate -q)" endpoint="admin/script" entity=".%252Fbin%252Ftime.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Ftime.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Ftime.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Linux Audit Log (/var/log/audit/audit.log | ausearch)" endpoint="admin/script" entity=".%252Fbin%252Frlog.sh"> <input field="interval" id="/admin/script/.%252Fbin%252Frlog.sh/interval"> <label>Polling Interval (sec)</label> <type>text</type> </input> <input field="enabled" id="/admin/script/.%252Fbin%252Frlog.sh/enabled"> <label>Enable</label> <type>bool</type> </input> </block> <block title="Warning"> <text>Submitting this form can take a long time. Please be patient and wait for it to complete before navigating away from this page.</text> </block> </SetupInfo> ]]> </s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/apps/local/gettingstarted/update
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>localapps</title>
<id>https://localhost:8089/services/apps/local</id>
<updated>2014-07-15T10:34:13-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/apps/local/_new" rel="create"/>
<link href="/services/apps/local/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>gettingstarted</title>
<id>https://localhost:8089/services/apps/local/gettingstarted</id>
<updated>2014-07-15T10:34:13-07:00</updated>
<link href="/services/apps/local/gettingstarted" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/apps/local/gettingstarted" rel="list"/>
<link href="/services/apps/local/gettingstarted/_reload" rel="_reload"/>
<link href="/services/apps/local/gettingstarted" rel="edit"/>
<link href="/services/apps/local/gettingstarted" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
Manage master and peer cluster nodes.
https://<host>:<mPort>/services/cluster/config
Authentication: Not required
Configure and access nodes in a cluster.
| Method | Description | Formats |
|---|---|---|
| GET | List cluster node configuration. | XML, JSON |
cluster/config method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| Attribute | Description |
| cxn_timeout | Low-level timeout, in seconds, for establishing connection between cluster nodes. Defaults to 60 seconds. |
| disabled | Indicates if this node is disabled. |
| forwarderdata_rcv_port | The port from which to receive data from a forwarder. |
| forwarderdata_use_ssl | Indicates whether to use SSL when receiving data from a forwarder. |
| heartbeat_period | Only valid for peer nodes in a cluster. The time, in seconds, that a peer attempts to send a heartbeat to the master |
| heartbeat_timeout | Only valid for the master node in a cluster configuration. The time, in seconds, before a master considers a peer down. Once a peer is down, the master initiates steps to replicate buckets from the dead peer to its live peers. Defaults to 60 seconds. |
| master_uri | Valid only for nodes configured as a peer or searchhead.
URI of the cluster master to which this node connects. |
| max_peer_build_load | The number of jobs that a peer can have in progress at any time that make the bucket searchable. |
| max_peer_rep_load | Maximum number of replications that can be ongoing as a target. |
| mode | Valid values: (master | slave | searchhead | disabled) Defaults to disabled.
Sets operational mode for this cluster node. Only one master may exist per cluster. |
| ping_flag | For internal use to facilitate communication between the master and peers. |
| quiet_period | The time, in seconds, that a master waits for peers to add themselves to the cluster. |
| rcv_timeout | Low-level timeout, in seconds, for receiving data between cluster nodes. Defaults to 60 seconds. |
| register_forwarder_address | Not used.
Reserved for future use. |
| register_replication_address | Valid only for nodes configured as peers. The address on which a peer is available for accepting replication data. This is useful in the cases where a peer host machine has multiple interfaces and only one of them can be reached by another splunkd instance. |
| register_search_address | IP address that advertises this indexer to search heads. |
| rep_cxn_timeout | Low-level timeout, in seconds, for establishing a connection for replicating data. |
| rep_max_rcv_timeout | Maximum cumulative time, in seconds, for receiving acknowledgement data from peers. Defaults to 600s. |
| rep_max_send_timeout | Maximum time, in seconds, for sending replication slice data between cluster nodes. Defaults to 600s. |
| rep_rcv_timeout | Low-level timeout, in seconds, for receiving data between cluster nodes. |
| rep_send_timeout | Low-level timeout, in seconds, for sending replication data between cluster nodes. Defaults to 5 seconds. |
| replication_factor | Only valid for nodes configured as a master.
Determines how many copies of raw data are created in the cluster. This could be less than the number of cluster peers. Must be greater than 0 and greater than or equal to the search factor. Defaults to 3. |
| replication_port | TCP port to listen for replicated data from another cluster member. |
| replication_use_ssl | Indicates whether to use SSL when sending replication data. |
| restart_timeout | Only valid for nodes configured as a master. The amount of time, in seconds, the master waits for a peer to come back when the peer is restarted (to avoid the overhead of trying to fix the buckets that were on the peer). Defaults to 600 seconds.
Note: This only works if the peer is restarted from Splunk Web. |
| search_factor | Only valid for nodes configured as a master. Determines how many searchable copies of each bucket to maintain. Must be less than or equal to replication_factor and greater than 0. Defaults to 2. |
| secret | Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.
Corresponds to pass4SymmKey setting in |
| send_timeout | Low-level timeout, in seconds, for sending data between cluster nodes. Defaults to 60 seconds. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/buckets
Authentication: Not required
Provides bucket configuration information for a cluster master node.
| Method | Description | Formats |
|---|---|---|
| GET | Lists cluster master node bucket configuration. | XML, JSON |
cluster/master/buckets method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| Attribute | Description |
| bucket_size | Indicates the size, in bytes, of the bucket. |
| constrain_to_origin_site | Flag indicating this particular bucket is a clustered pre-multisite bucket. Such buckets are replicated only within their origin site. |
| force_roll | Flag indicating hot bucket needs to be force to roll by master. Usually when hot bucket does not have enough streaming targets to meet the policy. |
| frozen | Indicates if the bucket is frozen. |
| index | Name of the index to which the bucket belongs. |
| origin_site | Where the bucket originated. |
| peers | Lists information about buckets on peers to this master. |
| primaries_by_site | Primary peer (GIUD). |
| rep_count_by_site | Number of buckets. |
| search_count_by_site | Number of searchable buckets. |
| service_after_time | Bucket service is deferred until after this time. |
| standalone | Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this master. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/buckets/{name}
Authentication: Not required
Access bucket configuration information.
| Method | Description | Formats |
|---|---|---|
| GET | List bucket configuration information. | XML, JSON |
cluster/master/buckets/{name} method detailThe filter parameter of the Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| bucket_size | Indicates the size, in bytes, of the bucket. |
| constrain_to_origin_site | Flag indicating this particular bucket is a clustered pre-multisite bucket. Such buckets are replicated only within their origin site. |
| force_roll | Flag indicating hot bucket needs to be force to roll by master. Usually when hot bucket does not have enough streaming targets to meet the policy. |
| frozen | Indicates if the bucket is frozen. |
| index | Name of the index to which the bucket belongs. |
| origin_site | Where the bucket originated. |
| peers | Lists information about buckets on peers to this master. |
| primaries_by_site | Primary peer (GIUD). |
| rep_count_by_site | Number of buckets. |
| search_count_by_site | Number of searchable buckets. |
| service_after_time | Bucket service is deferred until after this time. |
| standalone | Indicates if the bucket was created on the peer before the peer entered into a cluster configuration with this master. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/control/control/rebalance_primaries
Authentication: Not required
Rebalance primary buckets across peers.
| Method | Description | Formats |
|---|---|---|
| POST | Rebalance primary buckets across all peers of this master. | XML, JSON |
cluster/master/control/control/rebalance_primaries method detailNone
None
[ Top ]
https://<host>:<mPort>/services/cluster/master/control/control/remove_peers
Authentication: Not required
Remove one or more peers.
| Method | Description | Formats |
|---|---|---|
| POST | Remove one or more peers. | XML, JSON |
cluster/master/control/control/remove_peers method detail| Name | Type | Default | Description |
|---|---|---|---|
| peers required | String | One or more comma-separated peer GUIDs. |
None
If peer status is not Down or GracefulShutdown, the interface returns the following error message:
<response>
<messages>
<msg type="ERROR">
In handler 'clustermastercontrol': Remove aborted, Reason: Peer=<hostname> with guid=<peerID> cannot be removed. Peer has status=Up. Only peers with status=Down (or) GracefulShutdown can be removed.</msg>
</messages>
</response>
[ Top ]
https://<host>:<mPort>/services/cluster/master/generation
Authentication: Not required
Access current generation cluster master information.
| Method | Description | Formats |
|---|---|---|
| GET | List peer nodes participating in the current generation for this master. | XML, JSON |
| POST | Create a cluster generation. | XML, JSON |
cluster/master/generation method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| generation_id | The ID for the current generation for this master. |
| generation_peers | Lists the peers for this generation of the cluster. |
| pending_generation_id | The next generation ID used by the master when committing a new generation.
This value is useful for debugging. |
| pending_last_attempt | The timestamp of the last attempt to commit to the pending generation ID (if ever). |
| pending_last_reason | The reason why this peer failed to commit to the pending generation.
This parameter is EMPTY if no such attempt was made. |
cluster/master/generation method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The URI of the searchhead node of a cluster upon which to create a new generation. | |
| generation_poll_interval | Number | How often, in seconds, the searchhead polls the master for generation information.
Defaults to 60 seconds. | |
| label | String | Server name for the Splunk Enterprise instance specified by the name attribute. | |
| mgmt_port | String | The managment port of searchhead node in a cluster upon which you are creating a new generation. | |
| register_search_address | String | The address on which a peer node is available as search head.
This is useful in the cases where a splunk host machine has multiple interfaces and only one of them can be reached by another splunkd instance. |
| Name | Description |
|---|---|
| generation_id | The ID for the current generation for this master. |
| generation_peers | Lists the peers for this generation of the cluster. |
| pending_generation_id | The next generation ID used by the master when committing a new generation.
This value is useful for debugging. |
| pending_last_attempt | The timestamp of the last attempt to commit to the pending generation ID (if ever). |
| pending_last_reason | The reason why this peer failed to commit to the pending generation.
This parameter is EMPTY if no such attempt was made. |
| replication_factor_met | Indicates if the replication factor was met for the cluster. |
| search_factor_met | Indicates if the search factor was met for the cluster. |
| was_forced | Indicates next generation was forcibly committed. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/generation/{name}
Authentication: Not required
Access information about a peer node participating in the current generation for the specified search head GUID.
| Method | Description | Formats |
|---|---|---|
| GET | List peer node information of the specified search head GUID. | XML, JSON |
| POST | Create a new generation for the specified search head GUID. | XML, JSON |
cluster/master/generation/{name} method detailNone
| Name | Description |
|---|---|
| generation_id | The ID of the current generation for this master. |
| generation_peers | Lists the peers for this generation of the cluster. |
| pending_generation_id | The next generation ID used by the master when committing a new generation.
This value is useful for debugging. |
| pending_last_attempt | The timestamp of the last attempt to commit to the pending generation ID (if ever). |
| pending_last_reason | The reason why this peer failed to commit to the pending generation.
This parameter is EMPTY if no such attempt was made. |
cluster/master/generation/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| generation_poll_interval | Number | How often, in seconds, the searchhead polls the master for generation information.
Defaults to 60 seconds. | |
| label | String | Server name for the search head specified by {name}. | |
| mgmt_port | String | The managment port of searchhead node in a cluster upon which you are creating a new generation. | |
| register_search_address | String | The address on which a peer node is available as search head.
This is useful in the cases where a splunk host machine has multiple interfaces and only one of them can be reached by another splunkd instance. |
| Name | Description |
|---|---|
| generation_id | The ID for the current generation for this master. |
| generation_peers | Lists the peers for this generation of the cluster. |
| pending_generation_id | The next generation ID used by the master when committing a new generation.
This value is useful for debugging. |
| pending_last_attempt | The timestamp of the last attempt to commit to the pending generation ID (if ever). |
| pending_last_reason | The reason why this peer failed to commit to the pending generation.
This parameter is EMPTY if no such attempt was made. |
| replication_factor_met | Indicates if the replication factor was met for the cluster. |
| search_factor_met | Indicates if the search factor was met for the cluster. |
| was_forced | Indicates next generation was forcibly committed. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/indexes
Authentication: Not required
Access cluster index information.
| Method | Description | Formats |
|---|---|---|
| GET | Lists cluster indices. | XML, JSON |
cluster/master/indexes method detailNone
| Attribute | Description | ||||||
|---|---|---|---|---|---|---|---|
| buckets_with_excess_copies | Number of distinct buckets that have one or more excess replication copies. | ||||||
| buckets_with_excess_searchable_copies | Number of distinct buckets that have one or more excess searchable copies. | ||||||
| index_size | Size of the index | ||||||
| is_searchable | When every bucket in the index has a primary, the index is considered "searchable". | ||||||
| non_site_aware_buckets_in_site_aware_cluster | Number of buckets created when the cluster was not in a multisite config. (Included only when the cluster is in multisite config.) | ||||||
| num_buckets | Total number of distinct buckets. | ||||||
| replicated_copies_tracker | Displays how many distinct buckets have X number of copies.
| ||||||
| searchable_copies_tracker | Displays how many distinct buckets have X number of searchable copies.
| ||||||
| sort_order | Used by UI. | ||||||
| total_excess_bucket_copies | Total number of excess copies for all buckets. | ||||||
| total_excess_searchable_copies | Total number of excess searchable copies for all buckets. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/indexes/{name}
Authentication: Not required
Access specific cluster index information.
| Method | Description | Formats |
|---|---|---|
| GET | Lists index information. | XML, JSON |
cluster/master/indexes/{name} method detailNone
| Attribute | Description | ||||||
|---|---|---|---|---|---|---|---|
| buckets_with_excess_copies | Number of distinct buckets that have one or more excess replication copies. | ||||||
| buckets_with_excess_searchable_copies | Number of distinct buckets that have one or more excess searchable copies. | ||||||
| index_size | Size of the index | ||||||
| is_searchable | When every bucket in the index has a primary, the index is considered "searchable". | ||||||
| non_site_aware_buckets_in_site_aware_cluster | Number of buckets created when the cluster was not in a multisite config. (Included only when the cluster is in multisite config.) | ||||||
| num_buckets | Total number of distinct buckets. | ||||||
| replicated_copies_tracker | Displays how many distinct buckets have X number of copies.
| ||||||
| searchable_copies_tracker | Displays how many distinct buckets have X number of searchable copies.
| ||||||
| sort_order | Used by UI. | ||||||
| total_excess_bucket_copies | Total number of excess copies for all buckets. | ||||||
| total_excess_searchable_copies | Total number of excess searchable copies for all buckets. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/info
Authentication: Not required
Access information about cluster master node.
| Method | Description | Formats |
|---|---|---|
| GET | List cluster master node details. | XML, JSON |
cluster/master/info method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| active_bundle | Provides information about the active bundle for this master. |
| bundle_creation_time_on_master | The time, in epoch seconds, when the bundle was created on the master. |
| bundle_validation_errors_on_master | A list of bundle validation errors. |
| bundle_validation_in_progress | Indicates if bundle validation is in progress. |
| bundle_validation_on_master_succeeded | Indicates whether the master succeeded validating bundles. |
| data_safety_buckets_to_fix | Lists the buckets to fix for the completion of data safety. |
| gen_commit_buckets_to_fix | The buckets to be fixed before the next generation can be committed. |
| indexing_ready_flag | Indicates if the cluster is ready for indexing. |
| initialized_flag | Indicates if the cluster is initialized. |
| label | The name for the master that is displayed in the Splunk Enterprise Manager page. |
| latest_bundle | The most recent information reflecting any changes made to the master-apps configuration bundle.
In steady state, this is equal to active_bundle. If it is not equal, then pushing the latest bundle to all peers is in process (or needs to be started). |
| maintenance_mode | Indicates if the cluster is in maintenance mode. |
| reload_bundle_issued | Indicates if the bundle issued is being reloaded. |
| rep_count_buckets_to_fix | Number of buckets to fix on peers. |
| rolling_restart_flag | Indicates whether the master is restarting the peers in a cluster. |
| search_count_buckets_to_fix | Number of buckets to fix to satisfy the search count. |
| service_ready_flag | Indicates whether the master is ready to begin servicing, based on whether it is initialized. |
| start_time | Timestamp corresponding to the creation of the master. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/peers
Authentication: Not required
Access cluster master peers.
cluster/master/control/control/remove_peers
| Method | Description | Formats |
|---|---|---|
| GET | List cluster master peers. | XML, JSON |
cluster/master/peers method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| active_bundle_id | The ID of the configuration bundle currently being used by the master. |
| apply_bundle_status | Bundle status enumeration. |
| base_generation_id | The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.
The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master. |
| bucket_count | Count of the number of buckets on this peer, across all indexes. |
| bucket_count_by_index | Count of the number of buckets by index on this peer. |
| delayed_buckets_to_discard | List of bucket IDs waiting to be discarded on this peer. |
| fixup_set | The set of buckets that need repair once you take the peer offline. |
| heartbeat_started | Flag indicating if this peer has started heartbeating. |
| host_port_pair | The host and port advertised to peers for the data replication channel.
Can be either of the form IP:port or hostname:port. |
| is_searchable | Flag indicating if this peer belongs to the current committed generation and is searchable. |
| label | The name for the peer that is displayed in the Splunk Enterprise Manager page. |
| last_heartbeat | Timestamp for last heartbeat recieved from the peer. |
| latest_bundle_id | The ID of the configuration bundle this peer is using. |
| pending_job_count | Used by the master to keep track of pending jobs requested by the master to this peer. |
| primary_count | Number of buckets for which the peer is primary in its local site, or the number of buckets that return search results from same site as the peer. |
| primary_count_remote | Number of buckets for which the peer is primary that are not in its local site. |
| replication_count | Number of replications this peer is part of, as either source or target. |
| replication_port | TCP port to listen for replicated data from another cluster member. |
| replication_use_ssl | Indicates whether to use SSL when sending replication data. |
| search_state_counter | Lists the number of buckets on the peer for each search state for the bucket.
Possible values for search state include:
|
| site | To which site the peer belongs. |
| status | Indicates the status of the peer.
Valid values are:
|
| status_counter | Lists the number of buckets on the peer for each bucket status.
Possible values for bucket status:
|
[ Top ]
https://<host>:<mPort>/services/cluster/master/peers/{name}
Authentication: Not required
Access specified peer.
| Method | Description | Formats |
|---|---|---|
| GET | Get {name} peer information. | XML, JSON |
cluster/master/peers/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| list_buckets | Boolean | Indicates whether to list the buckets for the peers to this master. |
| Name | Description |
|---|---|
| active_bundle_id | The ID of the configuration bundle currently being used by the master. |
| apply_bundle_status | Bundle status enumeration. |
| base_generation_id | The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.
The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master. |
| bucket_count | Count of the number of buckets on this peer, across all indexes. |
| bucket_count_by_index | Count of the number of buckets by index on this peer. |
| delayed_buckets_to_discard | List of bucket IDs waiting to be discarded on this peer. |
| fixup_set | The set of buckets that need repair once you take the peer offline. |
| heartbeat_started | Flag indicating if this peer has started heartbeating. |
| host_port_pair | The host and port advertised to peers for the data replication channel.
Can be either of the form IP:port or hostname:port. |
| is_searchable | Flag indicating if this peer belongs to the current committed generation and is searchable. |
| label | The name for the peer that is displayed in the Splunk Enterprise Manager page. |
| last_heartbeat | Timestamp for last heartbeat recieved from the peer. |
| latest_bundle_id | The ID of the configuration bundle this peer is using. |
| pending_job_count | Used by the master to keep track of pending jobs requested by the master to this peer. |
| primary_count | Number of buckets for which the peer is primary in its local site, or the number of buckets that return search results from same site as the peer. |
| primary_count_remote | Number of buckets for which the peer is primary that are not in its local site. |
| replication_count | Number of replications this peer is part of, as either source or target. |
| replication_port | TCP port to listen for replicated data from another cluster member. |
| replication_use_ssl | Indicates whether to use SSL when sending replication data. |
| search_state_counter | Lists the number of buckets on the peer for each search state for the bucket.
Possible values for search state include:
|
| site | To which site the peer belongs. |
| status | Indicates the status of the peer.
Valid values are:
|
| status_counter | Lists the number of buckets on the peer for each bucket status.
Possible values for bucket status:
|
[ Top ]
https://<host>:<mPort>/servicescluster/master/sites
Authentication: Not required
Access cluster site information.
| Method | Description | Formats |
|---|---|---|
| GET | List available cluster sites. | XML, JSON |
cluster/master/sites method detailNone
| Name | Description |
|---|---|
| peers | Peers list of host:port and server name. |
[ Top ]
https://<host>:<mPort>/services/cluster/master/sites/{name}
Authentication: Not required
Access specific cluster site information.
| Method | Description | Formats |
|---|---|---|
| GET | List specific cluster site information. | XML, JSON |
cluster/master/sites/{name} method detailNone
| Name | Description | ||||||
|---|---|---|---|---|---|---|---|
| peers | Site peer reference, for each peer:
|
[ Top ]
https://<host>:<mPort>/services/cluster/searchhead/generation
Authentication: Not required
Access peer information in a cluster searchhead.
| Method | Description | Formats |
|---|---|---|
| GET | List peers available to a cluster searchhead. | XML, JSON |
cluster/searchhead/generation method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| generation_id | The current generation ID for this searchhead, which is part of a cluster configuration.
The search head uses this information to determine which buckets to search across. |
| generation_peers | List of peer nodes for the current generation in the cluster configuration for this searchhead. |
[ Top ]
https://<host>:<mPort>/services/cluster/searchhead/generation/{name}
Authentication: Not required
Access peer of the master URI.
| Method | Description | Formats |
|---|---|---|
| GET | Get {name} searchhead generation ID and generation peers. | XML, JSON |
cluster/searchhead/generation/{name} method detailNone
| Name | Description |
|---|---|
| generation_id | The current generation ID for this searchhead, which is part of a cluster configuration.
The search head uses this information to determine which buckets to search across. |
| generation_peers | List of peer nodes for the current generation in the cluster configuration for this searchhead. |
[ Top ]
https://<host>:<mPort>/services/cluster/searchhead/searchheadconfig
Authentication: Not required
Access cluster searchhead node configuration.
| Method | Description | Formats |
|---|---|---|
| GET | List this cluster search head node configuration. | XML, JSON |
| POST | Configure this server as a cluster searchhead node. | XML, JSON |
cluster/searchhead/searchheadconfig method detailPagination and filtering parameters can be used with this method.
None
cluster/searchhead/searchheadconfig method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The URI of the master node in the cluster. | |
| secret required | String | Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.
Corresponds to pass4SymmKey setting in server.conf. |
None
[ Top ]
https://<host>:<mPort>/services/cluster/searchhead/searchheadconfig/{name}
Authentication: Not required
Manage node in a cluster.
| Method | Description | Formats |
|---|---|---|
| DELETE | Remove node from cluster. | XML, JSON |
| GET | List cluster search head node configuration. | XML, JSON |
| POST | Update cluster search head node configuration. | XML, JSON |
cluster/searchhead/searchheadconfig/{name} method detailNone
None
cluster/searchhead/searchheadconfig/{name} method detailNone
None
cluster/searchhead/searchheadconfig/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| master_uri | String | The URI of the master node in the cluster for which this searchhead is configured. | |
| secret | String | Secret shared among the nodes in the cluster to prevent any arbitrary node from connecting to the cluster. If a peer or searchhead is not configured with the same secret as the master, it is not able to communicate with the master.
Corresponds to pass4SymmKey setting in server.conf. |
None
[ Top ]
https://<host>:<mPort>/services/cluster/slave/buckets
Authentication: Not required
Access cluster peers bucket configuration.
| Method | Description | Formats |
|---|---|---|
| GET | List cluster peers bucket configuration. | XML, JSON |
cluster/slave/buckets method detail| Name | Type | Default | Description |
|---|---|---|---|
| generation_id | String | The generation ID for this peer. For each generation, the master server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search. |
Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| checksum | Used internally to identify this bucket. |
| earliest_time | Indicates the time of the earliest event in this bucket. |
| generation_id | The generation ID for this peer. |
| generations | A sparse list of generation id to bucket primacy for the given peer. |
| latest_time | Indicates the time for the latest event in this bucket. |
| search_state | Indicates if the bucket is searchable.
Possible values:
|
| status | Indicates the status of this bucket.
Possible values:
|
[ Top ]
https://<host>:<mPort>/services/cluster/slave/buckets/{name}
Authentication: Not required
Manage peer buckets.
| Method | Description | Formats |
|---|---|---|
| DELETE | Remove specified bucket from peer node. | XML, JSON |
| GET | List peer specified bucket information. | XML, JSON |
cluster/slave/buckets/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| bucket_id required | Sring | The identifier for the bucket to remove. |
None
cluster/slave/buckets/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| generation_id | String | The generation ID for this peer. For each generation, the master server in a cluster configuration assigns generation IDs. A generation identifies which copies of a cluster's buckets are primary and therefore can participate in a search. |
| Name | Description |
|---|---|
| checksum | Used internally to identify this bucket. |
| earliest_time | Indicates the time of the earliest event in this bucket. |
| generation_id | The generation ID for this peer. |
| generations | A sparse list of generation id to bucket primacy for the given peer. |
| latest_time | Indicates the time for the latest event in this bucket. |
| search_state | Indicates if the bucket is searchable.
Possible values:
|
| status | Indicates the status of this bucket.
Possible values:
|
[ Top ]
https://<host>:<mPort>/services/cluster/slave/info
Authentication: Not required
Access cluster peer node information.
| Method | Description | Formats |
|---|---|---|
| GET | List peer information. | XML, JSON |
cluster/slave/info method detailPagination and filtering parameters can be used with this method.
| active_bundle | Current bundle being used by this peer. |
| base_generation_id | The initial bundle generation ID recognized by this peer. Any searches from previous generations fail.
The initial bundle generation ID is created when a peer first comes online, restarts, or recontacts the master. |
| invalid_bundle_ids | List of bundle ids with validation errors in the peer. |
| is_registered | Indicates if this peer is registered with the master in the cluster. |
| last_heartbeat_attempt | Timestamp for the last attempt to contact the master. |
| latest_bundle | Lists information about the most recent bundle downloaded from the master. |
| restart_state | Indicates whether the peer needs to be restarted to enable its cluster configuration. |
| status | Indicates the status of the peer.
Possible values:
|
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/artifacts
Authentication: Not required
Provides list of artifacts and replicas for a searchhead cluster.
An artifact in search head clustering is a managed search directory. Currently only scheduled search results directories are managed, and replicated according to replication policy. This endpoint can only be accessed on the captain. The artifacts listed are all the artifacts that are currently managed by the captain across the searchhead cluster, present on the various members. NB: adhoc searches are not considered artifacts and are not listed.
| Method | Description | Formats |
|---|---|---|
| GET | Lists searchhead cluster artifacts and replicas | XML, JSON |
shcluster/captain/artifacts method detail| Name | Type | Default | Description |
|---|---|---|---|
| remote_sids required | Bool | Set this to true to return the searches that the captain is seeing. Will include adhoc searches on remote members. |
| artifact_size | Artifact size, in bytes. |
| origin_guid | Guid of the origin peer where this artifact was created/search was run. |
| peers | Lists information about replicas of this artifact on members of this searchhead cluster. |
| service_after_time | Artifact service/fixup is deferred until after this time. |
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/artifacts/{name}
Authentication: Not required
Get artifact information for a specific artifact.
| Method | Description | Formats |
|---|---|---|
| GET | Get artifact information, size, replicas and earliest service time. | XML, JSON |
shcluster/captain/artifacts/{name} method detailPagination and filtering parameters can be used with this method.
| artifact_size | Artifact size, in bytes. |
| origin_guid | Guid of the origin peer where this artifact was created. |
| peers | Lists information about artifacts on members of this captain. |
| service_after_time | Artifact service is deferred until after this time. |
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/info
Authentication: Not required
Access information about searchhead cluster captain node.
| Method | Description | Formats |
|---|---|---|
| GET | List searchhead cluster captain node details. | XML, JSON |
shcluster/captain/info method detailPagination and filtering parameters can be used with this method.
| elected_captain | Time when the current captain was elected |
| id | Id of this SH cluster. This is used as the unique identifier for the Search Head Cluster in bundle replication and acceleration summary management. |
| initialized_flag | Indicates if the searchhead cluster is initialized. |
| label | The name for the captain that is displayed in the Splunk Enterprise Manager page. |
| maintenance_mode | Indicates if the cluster is in maintenance mode. |
| min_peers_joined_flag | Flag to indicate if more then replication_factor peers have joined the cluster. |
| peer_scheme_host_port | URI of the current captain. |
| rolling_restart_flag | Indicates whether the captain is restarting the members in a searchhead cluster. |
| service_ready_flag | Indicates whether the captain is ready to begin servicing, based on whether it is initialized. |
| start_time | Timestamp corresponding to the creation of the captain. |
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/jobs
Authentication: Not required
List running and recently finished jobs for all cluster members.
| Method | Description | Formats |
|---|---|---|
| GET | Cluster-wide list of running and recently finished jobs | XML, JSON |
shcluster/captain/jobs method detailPagination and filtering parameters can be used with this method.
For each job:
| ATTEMPT_[n] | dispatch_time - The UTC time of dispatch for the job errormsg - If the job failed, capturing the reason for failure peer - GUID of the member that the job was sent to sid - the search id of this attempt success - a boolean for success/failure of the job |
| job_state | Job State can be SCHEDULED/DISPATCHED/COMPLETED. A SCHEDULED job has been received by the captain from the scheduler to schedule. A DISPATCHED job has started to run on a remote member. A COMPLETED job has finished running on the remote member. |
| saved_search | The name of the saved-search from the associated savedsearches.conf file. |
| savedsearchtype | The scheduler manages three kinds of scheduled jobs, regular savedsearch for both realtime and historical, autosummary report acceleration build searches, and tsidx tsidx build searches. |
| search_app | The application in which the savedsearch was created. |
| search_owner | The owner of the saved search. |
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/jobs/{name}
Authentication: Not required
Get running and recently finished jobs for {name} cluster.
| Method | Description | Formats |
|---|---|---|
| GET | Get running and recently finished jobs. | XML, JSON |
shcluster/captain/jobs/{name} method detailPagination and filtering parameters can be used with this method.
| ATTEMPT_[n] | dispatch_time - The UTC time of dispatch for the job errormsg - If the job failed, capturing the reason for failure peer - GUID of the member that the job was sent to sid - the search id of this attempt success - a boolean for success/failure of the job |
| job_state | Job State can be SCHEDULED/DISPATCHED/COMPLETED. A SCHEDULED job has been received by the captain from the scheduler to schedule. A DISPATCHED job has started to run on a remote member. A COMPLETED job has finished running on the remote member. |
| saved_search | The name of the saved-search from the associated savedsearches.conf file. |
| savedsearchtype | The scheduler manages three kinds of scheduled jobs, regular savedsearch for both realtime and historical, autosummary report acceleration build searches, and tsidx tsidx build searches. |
| search_app | The application in which the savedsearch was created. |
| search_owner | The owner of the saved search. |
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/members
Authentication: Not required
Lists the search head cluster members.
| Method | Description | Formats |
|---|---|---|
| GET | List cluster members. | XML, JSON |
shcluster/captain/members method detailPagination and filtering parameters can be used with this method.
| adhoc_searchhead | Flag to indicate if this member does not run scheduled searches. |
| advertise_restart_required | Flag to indicate if this peer advertised that it needed a restart. |
| artifact_count | Number of artifacts on this peer |
| delayed_artifacts_to_discard | List of artifacts waiting to be deleted from this peer. |
| fixup_set | N/A |
| host_port_pair | The host and management port advertised by this peer. |
| kv_store_host_port | Host and port of the kv store instance of this member. |
| label | The name for this member that is displayed in the Splunk Enterprise Manager page. |
| last_heartbeat | Timestamp for last heartbeat recieved from the peer |
| peer_scheme_host_port | URI of the current captain. |
| pending_job_count | Used by the captain to keep track of pending jobs requested by the captain to this member. |
| replication_count | Number of replications this peer is part of, as either source or target. |
| replication_port | TCP port to listen for replicated data from another cluster member. |
| replication_use_ssl | Indicates whether to use SSL when sending replication data. |
| site | N/A |
| status | Indicates the status of the member.
Valid values are:
|
| status_counter | Lists the number of buckets on the peer for each bucket status.
Possible values for bucket status:
|
[ Top ]
https://<host>:<mPort>/services/shcluster/captain/members/{name}
Authentication: Not required
Get information about the {name} searchhead cluster member.
| Method | Description | Formats |
|---|---|---|
| GET | Get information about the {name} searchhead cluster member. | XML, JSON |
shcluster/captain/members/{name} method detailPagination and filtering parameters can be used with this method.
| adhoc_searchhead | Flag to indicate if this member does not run scheduled searches. |
| advertise_restart_required | Flag to indicate if this peer advertised that it needed a restart. |
| artifact_count | Number of artifacts on this peer. |
| delayed_artifacts_to_discard | List of artifacts waiting to be deleted from this peer. |
| fixup_set | N/A |
| host_port_pair | The host and management port advertised by this peer. |
| kv_store_host_port | Host and port of the kv store instance of this member. |
| label | The name for this member displayed in the Splunk Enterprise Manager page. |
| last_heartbeat | Timestamp for last heartbeat recieved from the peer |
| peer_scheme_host_port | URI of the current captain. |
| pending_job_count | Used by the master to keep track of pending jobs requested by the master to this peer. |
| replication_count | Number of replications this peer is part of, as either source or target. |
| replication_port | TCP port to listen for replicated data from another cluster member. |
| replication_use_ssl | Indicates whether to use SSL when sending replication data. |
| site | N/A |
| status | Indicates the status of the member.
Valid values are:
|
| status_counter | Lists the number of buckets on the peer for each bucket status.
Possible values for bucket status:
|
[ Top ]
https://<host>:<mPort>/services/shcluster/config
Authentication: Not required
List searchhead cluster node configuration.
| Method | Description | Formats |
|---|---|---|
| GET | List searchhead cluster node configuration. | XML, JSON |
shcluster/config method detailPagination and filtering parameters can be used with this method.
| cxn_timeout | Low-level timeout, in seconds, for establishing connection between searchhead cluster nodes. Defaults to 60 seconds. |
| disabled | Indicates if this node is disabled. |
| heartbeat_period | Only valid for member nodes in a searchhead cluster. The time, in seconds, that a member attempts to send a heartbeat to the captain |
| heartbeat_timeout | Only valid for the captain node in a searchhead cluster configuration. The time, in seconds, before a captain considers a member down. Once a member is down, the captain initiates steps to replicate artifacts from the dead member to its live members. Defaults to 60 seconds. |
| id | Id of the SH cluster this member is a part of. |
| max_peer_rep_load | Maximum number of replications that can be ongoing as a target. |
| mode | slave | searchhead | disabled) Defaults to disabled.
Sets operational mode for this searchhead cluster node. Only one captain may exist per searchhead cluster. |
| percent_peers_to_restart | Percentage of peers to restart at the same time when doing a rolling restart. |
| ping_flag | For internal use to facilitate communication between the captain and members. |
| quiet_period | The time, in seconds, that a captain waits for members to add themselves to the searchhead cluster. |
| rcv_timeout | Low-level timeout, in seconds, for receiving data between searchhead cluster nodes. Defaults to 60 seconds. |
| register_replication_address | Valid only for nodes configured as members. The address on which a member is available for accepting replication data. This is useful in the cases where a member host machine has multiple interfaces and only one of them can be reached by another splunkd instance. |
| rep_cxn_timeout | Low-level timeout, in seconds, for establishing a connection for replicating data. |
| rep_max_rcv_timeout | Maximum cumulative time, in seconds, for receiving acknowledgement data from members. Defaults to 600s. |
| rep_max_send_timeout | Maximum time, in seconds, for sending replication slice data between searchhead cluster nodes. Defaults to 600s. |
| rep_rcv_timeout | Low-level timeout, in seconds, for receiving data between searchhead cluster nodes. |
| rep_send_timeout | Low-level timeout, in seconds, for sending replication data between searchhead cluster nodes. Defaults to 5 seconds. |
| replication_factor | Only valid for nodes configured as a captain.
Determines how many copies of raw data are created in the searchhead cluster. This could be less than the number of searchhead cluster members. Must be greater than 0 and greater than or equal to the search factor. Defaults to 3. |
| replication_port | TCP port to listen for replicated data from another searchhead cluster member. |
| replication_use_ssl | Indicates whether to use SSL when sending replication data. |
| restart_timeout | Only valid for nodes configured as a captain. The amount of time, in seconds, the captain waits for a member to come back when the member is restarted (to avoid the overhead of trying to fix the artifacts that were on the member). Defaults to 600 seconds.
Note: This only works if the member is restarted from Splunk Web. |
| secret | Secret shared among the nodes in the searchhead cluster to prevent any arbitrary node from connecting to the searchhead cluster. If a member or searchhead is not configured with the same secret as the captain, it is not able to communicate with the captain.
Corresponds to pass4SymmKey setting in server.conf. |
| send_timeout | Low-level timeout, in seconds, for sending data between searchhead cluster nodes. Defaults to 60 seconds. |
[ Top ]
https://<host>:<mPort>/services/shcluster/member/artifacts
Authentication: Not required
Manage searchhead cluster member artifact configuration.
| Method | Description | Formats |
|---|---|---|
| GET | List searchhead cluster members artifact configuration. | XML, JSON |
shcluster/member/artifacts method detailPagination and filtering parameters can be used with this method.
For each member:
| status | Indicates the status of this artifact. Possible values: Complete: Copy of this artifact contains the full complement of information. StreamingSource: The copy of this artifact is sending data to member nodes for replication. StreamingTarget: The copy of this artifact is receiving replicated data. NonStreamingTarget: This copy of a warm artifact replication is in progress. Once replication is complete, the status changes to Complete. StreamingError: the copy of this artifact encountered errors while streaming data. PendingTruncate: The captain asked the member to truncate this copy of the artifact to a certain size and is waiting for confirmation. PendingDiscard: The captain asked the member to discard this copy of the artifact (for whatever reason, and is waiting for confirmation. Standalone: A artifact in the searchhead cluster that is not replicated. |
[ Top ]
https://<host>:<mPort>/services/shcluster/member/artifacts/{name}
Authentication: Not required
Get {name} member artifact configuration.
| Method | Description | Formats |
|---|---|---|
| GET | List {name} member artifact information. | XML, JSON |
shcluster/member/artifacts/{name} method detailPagination and filtering parameters can be used with this method.
| status | Indicates the status of this artifact. Possible values: Complete: Copy of this artifact contains the full complement of information. StreamingSource: The copy of this artifact is sending data to member nodes for replication. StreamingTarget: The copy of this artifact is receiving replicated data. NonStreamingTarget: This copy of a warm artifact replication is in progress. Once replication is complete, the status changes to Complete. StreamingError: the copy of this artifact encountered errors while streaming data. PendingTruncate: The captain asked the member to truncate this copy of the artifact to a certain size and is waiting for confirmation. PendingDiscard: The captain asked the member to discard this copy of the artifact (for whatever reason, and is waiting for confirmation. Standalone: A artifact in the searchhead cluster that is not replicated. |
[ Top ]
https://<host>:<mPort>/services/shcluster/member/consensus
Authentication: Not required
Get latest cluster configuration from the raft consensus protocol.
| Method | Description | Formats |
|---|---|---|
| GET | Get latest cluster configuration from the raft consensus protocol. | XML, JSON |
shcluster/member/consensus method detailPagination and filtering parameters can be used with this method.
For each member:
| configuration_id | Unique id for this configuration. |
| servers_list | Comma-separated list of members that are part of the cluster. Each member is listed as scheme://host:port |
[ Top ]
https://<host>:<mPort>/services/shcluster/member/info
Authentication: Not required
Access searchhead cluster member node information.
| Method | Description | Formats |
|---|---|---|
| GET | List member information. | XML, JSON |
shcluster/member/info method detailPagination and filtering parameters can be used with this method.
For each member:
| adhoc_searchhead | Flag that indicates if this member can run scheduled searches. |
| is_registered | Indicates if this member is registered with the searchhead cluster captain. |
| last_heartbeat_attempt | Timestamp for the last attempt to contact the captain. |
| maintenance_mode | N/A |
| peer_load_stats_gla_15m | Number of scheduled searches run in the last 15 minutes. |
| peer_load_stats_gla_1m | Number of scheduled searches run in the last one minute. |
| peer_load_stats_gla_5m | Number of scheduled searches run in the last five minutes. |
| peer_load_stats_max_runtime | N/A |
| peer_load_stats_num_autosummary | N/A |
| peer_load_stats_num_historical | N/A |
| peer_load_stats_num_realtime | N/A |
| peer_load_stats_num_running | N/A |
| peer_load_stats_total_runtime | N/A |
| restart_state | Indicates whether the member needs to be restarted to enable its searchhead cluster configuration. |
| status | Indicates the status of the member. Possible values: Up Down Pending Detention Restarting DecommAvaitingPeer DecommFixingBuckets Decommissioned |
[ Top ]
curl -k -u admin:pass https://localhost:8089/services/cluster/config
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clusterconfig</title>
<id>https://localhost:8089/services/cluster/config</id>
<updated>2012-09-05T10:19:49-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>config</title>
<id>https://localhost:8089/services/cluster/config/config</id>
<updated>2012-09-05T10:19:49-07:00</updated>
<link href="/services/cluster/config/config" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/config/config" rel="list"/>
<link href="/services/cluster/config/config/_reload" rel="_reload"/>
<link href="/services/cluster/config/config" rel="edit"/>
<link href="/services/cluster/config/config/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="cxn_timeout">60</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="forwarderdata_rcv_port">0</s:key>
<s:key name="forwarderdata_use_ssl">1</s:key>
<s:key name="heartbeat_period">1</s:key>
<s:key name="heartbeat_timeout">60</s:key>
<s:key name="master_uri"></s:key>
<s:key name="max_peer_build_load">5</s:key>
<s:key name="max_peer_rep_load">5</s:key>
<s:key name="mode">master</s:key>
<s:key name="ping_flag">1</s:key>
<s:key name="quiet_period">60</s:key>
<s:key name="rcv_timeout">60</s:key>
<s:key name="register_forwarder_address"></s:key>
<s:key name="register_replication_address"></s:key>
<s:key name="register_search_address"></s:key>
<s:key name="rep_cxn_timeout">5</s:key>
<s:key name="rep_max_rcv_timeout">600</s:key>
<s:key name="rep_max_send_timeout">600</s:key>
<s:key name="rep_rcv_timeout">10</s:key>
<s:key name="rep_send_timeout">5</s:key>
<s:key name="replication_factor">2</s:key>
<s:key name="replication_port"></s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="restart_timeout">600</s:key>
<s:key name="search_factor">2</s:key>
<s:key name="secret">********</s:key>
<s:key name="send_timeout">60</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/buckets
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterbuckets</title>
<id>https://localhost:8089/services/cluster/master/buckets</id>
<updated>2014-04-17T19:13:57+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/master/buckets/_new" rel="create"/>
<opensearch:totalResults>24</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
<id>https://localhost:8089/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
<updated>2014-04-17T19:13:57+00:00</updated>
<link href="/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
<link href="/services/cluster/master/buckets/_audit~0~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="bucket_size">47187</s:key>
<s:key name="constrain_to_origin_site">1</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="force_roll">0</s:key>
<s:key name="frozen">0</s:key>
<s:key name="index">_audit</s:key>
<s:key name="origin_site">site2</s:key>
<s:key name="peers">
<s:dict>
<s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
<s:dict>
<s:key name="bucket_flags">0x6</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
<s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
<s:dict>
<s:key name="bucket_flags">0x0</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
<s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
<s:dict>
<s:key name="bucket_flags">0x0</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Unsearchable</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="primaries_by_site">
<s:dict>
<s:key name="site1">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
<s:key name="site2">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
</s:dict>
</s:key>
<s:key name="rep_count_by_site">
<s:dict>
<s:key name="site2">3</s:key>
</s:dict>
</s:key>
<s:key name="search_count_by_site">
<s:dict>
<s:key name="site2">2</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
<s:key name="standalone">0</s:key>
</s:dict>
</content>
</entry>
<entry>
.
.
.
elided
.
.
.
<entry>
<title>_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</title>
<id>https://localhost:8089/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</id>
<updated>2014-04-17T19:13:57+00:00</updated>
<link href="/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="list"/>
<link href="/services/cluster/master/buckets/_internal~1~E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="bucket_size"></s:key>
<s:key name="constrain_to_origin_site">0</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="force_roll">0</s:key>
<s:key name="frozen">0</s:key>
<s:key name="index">_internal</s:key>
<s:key name="origin_site">site2</s:key>
<s:key name="peers">
<s:dict>
<s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
<s:dict>
<s:key name="bucket_flags">0x2</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">StreamingTarget</s:key>
</s:dict>
</s:key>
<s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
<s:dict>
<s:key name="bucket_flags">0x0</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Unsearchable</s:key>
<s:key name="status">StreamingTarget</s:key>
</s:dict>
</s:key>
<s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
<s:dict>
<s:key name="bucket_flags">0x4</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">StreamingSource</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="primaries_by_site">
<s:dict>
<s:key name="site1">61666763-43E9-411B-9464-D80A5119EF0E</s:key>
<s:key name="site2">E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</s:key>
</s:dict>
</s:key>
<s:key name="rep_count_by_site">
<s:dict>
<s:key name="site1">1</s:key>
<s:key name="site2">2</s:key>
</s:dict>
</s:key>
<s:key name="search_count_by_site">
<s:dict>
<s:key name="site1">1</s:key>
<s:key name="site2">1</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
<s:key name="standalone">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/buckets/internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterbuckets</title>
<id>https://localhost:8089/services/cluster/master/buckets</id>
<updated>2014-04-17T19:16:03+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/master/buckets/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
<id>https://localhost:8089/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
<updated>2014-04-17T19:16:03+00:00</updated>
<link href="/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
<link href="/services/cluster/master/buckets/_internal~1~238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="bucket_size"></s:key>
<s:key name="constrain_to_origin_site">0</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="eai:attributes">
... elided ...
</s:key>
<s:key name="force_roll">0</s:key>
<s:key name="frozen">0</s:key>
<s:key name="index">_internal</s:key>
<s:key name="origin_site">site2</s:key>
<s:key name="peers">
<s:dict>
<s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
<s:dict>
<s:key name="bucket_flags">0x4</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">StreamingSource</s:key>
</s:dict>
</s:key>
<s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
<s:dict>
<s:key name="bucket_flags">0x2</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">StreamingTarget</s:key>
</s:dict>
</s:key>
<s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
<s:dict>
<s:key name="bucket_flags">0x0</s:key>
<s:key name="checksum"></s:key>
<s:key name="checksum_state">StableCksum</s:key>
<s:key name="search_state">Unsearchable</s:key>
<s:key name="status">StreamingTarget</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="primaries_by_site">
<s:dict>
<s:key name="site1">29F9560E-A44A-425C-8753-1C6158B46C84</s:key>
<s:key name="site2">238C3311-F0A4-4A9B-97F0-53667CFFEEAB</s:key>
</s:dict>
</s:key>
<s:key name="rep_count_by_site">
<s:dict>
<s:key name="site1">1</s:key>
<s:key name="site2">2</s:key>
</s:dict>
</s:key>
<s:key name="search_count_by_site">
<s:dict>
<s:key name="site1">1</s:key>
<s:key name="site2">1</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
<s:key name="standalone">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/control/control/rebalance_primaries --request POST
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastercontrol</title>
<id>https://localhost:8089/services/cluster/master/control</id>
<updated>2013-08-21T13:08:52-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/control/control/remove_peers --request POST -d "peers=F2AA19BD-622F-4F8C-A8E0-1233"
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastercontrol</title>
<id>https://localhost:8089/services/cluster/master/control</id>
<updated>2014-09-10T13:12:54-07:00</updated>
<generator build="230688" version="6.2"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/generation
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastergeneration</title>
<id>https://localhost:8089/services/cluster/master/generation</id>
<updated>2012-09-05T10:39:54-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>master</title>
<id>https://localhost:8089/services/cluster/master/generation/master</id>
<updated>2012-09-05T10:39:54-07:00</updated>
<link href="/services/cluster/master/generation/master" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/generation/master" rel="list"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="generation_id">2</s:key>
<s:key name="generation_peers">
<s:dict>
<s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
<s:dict>
<s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
<s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
</s:dict>
</s:key>
<s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
<s:dict>
<s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
<s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="pending_generation_id">3</s:key>
<s:key name="pending_last_attempt">0</s:key>
<s:key name="pending_last_reason"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://myserver:8089/services/cluster/master/generation -d name=foo
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastergeneration</title>
<id>https://myserver:8089/services/cluster/master/generation</id>
<updated>2013-10-31T13:58:51-07:00</updated>
<generator build="184661" version="20131030"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/master/generation/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>master</title>
<id>https://myserver:8089/services/cluster/master/generation/master</id>
<updated>2013-10-31T13:58:51-07:00</updated>
<link href="/services/cluster/master/generation/master" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/generation/master" rel="list"/>
<link href="/services/cluster/master/generation/master" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="generation_id">5</s:key>
<s:key name="generation_peers">
<s:dict>
<s:key name="11111111-1111-1111-1111-111111111111">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6431</s:key>
<s:key name="peer">PEER1</s:key>
</s:dict>
</s:key>
<s:key name="22222222-2222-2222-2222-222222222222">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6432</s:key>
<s:key name="peer">PEER2</s:key>
</s:dict>
</s:key>
<s:key name="33333333-3333-3333-3333-333333333333">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6433</s:key>
<s:key name="peer">PEER3</s:key>
</s:dict>
</s:key>
<s:key name="44444444-4444-4444-4444-444444444444">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6434</s:key>
<s:key name="peer">PEER4</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="pending_generation_id">6</s:key>
<s:key name="pending_last_attempt">0</s:key>
<s:key name="pending_last_reason"></s:key>
<s:key name="replication_factor_met">1</s:key>
<s:key name="search_factor_met">1</s:key>
<s:key name="was_forced">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/generation/master
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastergeneration</title>
<id>https://localhost:8089/services/cluster/master/generation</id>
<updated>2012-09-05T10:45:27-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>master</title>
<id>https://localhost:8089/services/cluster/master/generation/master</id>
<updated>2012-09-05T10:45:27-07:00</updated>
<link href="/services/cluster/master/generation/master" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/generation/master" rel="list"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="generation_id">2</s:key>
<s:key name="generation_peers">
<s:dict>
<s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
<s:dict>
<s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
<s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
</s:dict>
</s:key>
<s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
<s:dict>
<s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
<s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="pending_generation_id">3</s:key>
<s:key name="pending_last_attempt">0</s:key>
<s:key name="pending_last_reason"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://myserver:8089/services/cluster/master/generation/foo -X POST -d generation_poll_interval=62 -d label=PEER2
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastergeneration</title>
<id>https://myserver:8089/services/cluster/master/generation</id>
<updated>2013-10-31T14:37:20-07:00</updated>
<generator build="184661" version="20131030"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/master/generation/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>master</title>
<id>https://myserver:8089/services/cluster/master/generation/master</id>
<updated>2013-10-31T14:37:20-07:00</updated>
<link href="/services/cluster/master/generation/master" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/generation/master" rel="list"/>
<link href="/services/cluster/master/generation/master" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="generation_id">5</s:key>
<s:key name="generation_peers">
<s:dict>
<s:key name="11111111-1111-1111-1111-111111111111">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6431</s:key>
<s:key name="peer">PEER1</s:key>
</s:dict>
</s:key>
<s:key name="22222222-2222-2222-2222-222222222222">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6432</s:key>
<s:key name="peer">PEER2</s:key>
</s:dict>
</s:key>
<s:key name="33333333-3333-3333-3333-333333333333">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6433</s:key>
<s:key name="peer">PEER3</s:key>
</s:dict>
</s:key>
<s:key name="44444444-4444-4444-4444-444444444444">
<s:dict>
<s:key name="host_port_pair">myserver.splunk.com:6434</s:key>
<s:key name="peer">PEER4</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="pending_generation_id">6</s:key>
<s:key name="pending_last_attempt">0</s:key>
<s:key name="pending_last_reason"></s:key>
<s:key name="replication_factor_met">1</s:key>
<s:key name="search_factor_met">1</s:key>
<s:key name="was_forced">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/indexes
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterpeerindexes</title>
<id>https://localhost:8089/services/cluster/master/indexes</id>
<updated>2014-04-17T19:11:14+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_audit</title>
<id>https://localhost:8089/services/cluster/master/indexes/_audit</id>
<updated>2014-04-17T19:11:14+00:00</updated>
<link href="/services/cluster/master/indexes/_audit" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/indexes/_audit" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="buckets_with_excess_copies">0</s:key>
<s:key name="buckets_with_excess_searchable_copies">0</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="index_size">284975</s:key>
<s:key name="is_searchable">1</s:key>
<s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
<s:key name="num_buckets">12</s:key>
<s:key name="replicated_copies_tracker">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="2">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="searchable_copies_tracker">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="sort_order">4294967295</s:key>
<s:key name="total_excess_bucket_copies">0</s:key>
<s:key name="total_excess_searchable_copies">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>_internal</title>
<id>https://localhost:8089/services/cluster/master/indexes/_internal</id>
<updated>2014-04-17T19:11:14+00:00</updated>
<link href="/services/cluster/master/indexes/_internal" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/indexes/_internal" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="buckets_with_excess_copies">0</s:key>
<s:key name="buckets_with_excess_searchable_copies">0</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="index_size">1190869</s:key>
<s:key name="is_searchable">1</s:key>
<s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
<s:key name="num_buckets">12</s:key>
<s:key name="replicated_copies_tracker">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="2">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="searchable_copies_tracker">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="sort_order">4294967295</s:key>
<s:key name="total_excess_bucket_copies">0</s:key>
<s:key name="total_excess_searchable_copies">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/indexes/_audit
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterpeerindexes</title>
<id>https://localhost:8089/services/cluster/master/indexes</id>
<updated>2014-04-17T19:11:14+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_audit</title>
<id>https://localhost:8089/services/cluster/master/indexes/_audit</id>
<updated>2014-04-17T19:11:14+00:00</updated>
<link href="/services/cluster/master/indexes/_audit" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/indexes/_audit" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="buckets_with_excess_copies">0</s:key>
<s:key name="buckets_with_excess_searchable_copies">0</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="index_size">284975</s:key>
<s:key name="is_searchable">1</s:key>
<s:key name="non_site_aware_buckets_in_site_aware_cluster">6</s:key>
<s:key name="num_buckets">12</s:key>
<s:key name="replicated_copies_tracker">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="2">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="searchable_copies_tracker">
<s:dict>
<s:key name="0">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
<s:key name="1">
<s:dict>
<s:key name="actual_copies_per_slot">12</s:key>
<s:key name="expected_total_per_slot">12</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="sort_order">4294967295</s:key>
<s:key name="total_excess_bucket_copies">0</s:key>
<s:key name="total_excess_searchable_copies">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/info
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterinfo</title>
<id>http://greentea.sv.splunk.com:8089/services/cluster/master/info</id>
<updated>2013-07-23T10:36:35-07:00</updated>
<generator build="172635" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>master</title>
<id>http://greentea.sv.splunk.com:8089/services/cluster/master/info/master</id>
<updated>2013-07-23T10:36:35-07:00</updated>
<link href="/services/cluster/master/info/master" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/info/master" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="active_bundle">
<s:dict>
<s:key name="bundle_path">/home/eserv/schoi/apple_master/splunk/var/run/splunk/cluster/remote-bundle/66e383cafa8ff1f033e2341e35fc2e09-1374594357.bundle</s:key>
<s:key name="checksum">a98f211c7bc6b141bd4fe5775c7cd193</s:key>
<s:key name="timestamp">1374594357</s:key>
</s:dict>
</s:key>
<s:key name="bundle_creation_time_on_master">1374594357</s:key>
<s:key name="bundle_validation_errors_on_master">
<s:list/>
</s:key>
<s:key name="bundle_validation_in_progress">0</s:key>
<s:key name="bundle_validation_on_master_succeeded">1</s:key>
<s:key name="data_safety_buckets_to_fix">
<s:dict>
<s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
.
.
.
elided
.
.
.
<s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
... eai:acl node elided ...
<s:key name="gen_commit_buckets_to_fix">
<s:dict>
<s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
.
.
.
elided
.
.
.
<s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="indexing_ready_flag">1</s:key>
<s:key name="initialized_flag">1</s:key>
<s:key name="label">master_nc</s:key>
<s:key name="latest_bundle">
<s:dict>
<s:key name="bundle_path">/home/eserv/schoi/apple_master/splunk/var/run/splunk/cluster/remote-bundle/66e383cafa8ff1f033e2341e35fc2e09-1374594357.bundle</s:key>
<s:key name="checksum">a98f211c7bc6b141bd4fe5775c7cd193</s:key>
<s:key name="timestamp">1374594357</s:key>
</s:dict>
</s:key>
<s:key name="maintenance_mode">0</s:key>
<s:key name="reload_bundle_issued">0</s:key>
<s:key name="rep_count_buckets_to_fix">
<s:dict>
<s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
.
.
.
elided
.
.
.
<s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="rolling_restart_flag">0</s:key>
<s:key name="search_count_buckets_to_fix">
<s:dict>
<s:key name="_internal~1~05BB0AAC-61A5-491B-9153-3B02E6DA6130">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="_internal~1~76AFDA4D-DAA7-48A8-A738-DD669A0853CD">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">resolved initial state</s:key>
<s:key name="timestamp">1374594631</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason"></s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
.
.
.
elided
.
.
.
<s:key name="i5~659~8CEAE4B4-BAB0-415E-9DA6-0438ECD8B3EF">
<s:dict>
<s:key name="initial">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
<s:key name="latest">
<s:dict>
<s:key name="reason">streaming success</s:key>
<s:key name="timestamp">1374600995</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="service_ready_flag">1</s:key>
<s:key name="start_time">1374594571</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/peers
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterpeers</title>
<id>https://localhost:8089/services/cluster/master/peers</id>
<updated>2014-04-17T19:17:08+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/master/peers/_new" rel="create"/>
<opensearch:totalResults>6</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>238C3311-F0A4-4A9B-97F0-53667CFFEEAB</title>
<id>https://localhost:8089/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB</id>
<updated>2014-04-17T19:17:08+00:00</updated>
<link href="/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="list"/>
<link href="/services/cluster/master/peers/238C3311-F0A4-4A9B-97F0-53667CFFEEAB" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
<s:key name="apply_bundle_status">
<s:dict>
<s:key name="invalid_bundle">
<s:dict>
<s:key name="bundle_validation_errors">
<s:list/>
</s:key>
<s:key name="invalid_bundle_id"></s:key>
</s:dict>
</s:key>
<s:key name="reload_error"></s:key>
<s:key name="restart_required_for_apply_bundle">0</s:key>
</s:dict>
</s:key>
<s:key name="base_generation_id">6</s:key>
<s:key name="bucket_count">10</s:key>
<s:key name="bucket_count_by_index">
<s:dict>
<s:key name="_audit">5</s:key>
<s:key name="_internal">5</s:key>
</s:dict>
</s:key>
<s:key name="delayed_buckets_to_discard">
<s:list/>
</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="fixup_set">
<s:list/>
</s:key>
<s:key name="heartbeat_started">1</s:key>
<s:key name="host_port_pair">127.0.1.1:8096</s:key>
<s:key name="is_searchable">1</s:key>
<s:key name="label">s2p3</s:key>
<s:key name="last_heartbeat">1397762228</s:key>
<s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
<s:key name="pending_job_count">0</s:key>
<s:key name="primary_count">5</s:key>
<s:key name="primary_count_remote">2</s:key>
<s:key name="replication_count">0</s:key>
<s:key name="replication_port">9905</s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="search_state_counter">
<s:dict>
<s:key name="Searchable">5</s:key>
<s:key name="SearchablePendingMask">0</s:key>
<s:key name="Unsearchable">5</s:key>
</s:dict>
</s:key>
<s:key name="site">site2</s:key>
<s:key name="status">Up</s:key>
<s:key name="status_counter">
<s:dict>
<s:key name="Complete">6</s:key>
<s:key name="NonStreamingTarget">0</s:key>
<s:key name="StreamingSource">2</s:key>
<s:key name="StreamingTarget">2</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
.
.
.
elided
.
.
.
<entry>
<title>E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</title>
<id>https://localhost:8089/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C</id>
<updated>2014-04-17T19:17:08+00:00</updated>
<link href="/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="list"/>
<link href="/services/cluster/master/peers/E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
<s:key name="apply_bundle_status">
<s:dict>
<s:key name="invalid_bundle">
<s:dict>
<s:key name="bundle_validation_errors">
<s:list/>
</s:key>
<s:key name="invalid_bundle_id"></s:key>
</s:dict>
</s:key>
<s:key name="reload_error"></s:key>
<s:key name="restart_required_for_apply_bundle">0</s:key>
</s:dict>
</s:key>
<s:key name="base_generation_id">4</s:key>
<s:key name="bucket_count">13</s:key>
<s:key name="bucket_count_by_index">
<s:dict>
<s:key name="_audit">6</s:key>
<s:key name="_internal">7</s:key>
</s:dict>
</s:key>
<s:key name="delayed_buckets_to_discard">
<s:list/>
</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="fixup_set">
<s:list/>
</s:key>
<s:key name="heartbeat_started">1</s:key>
<s:key name="host_port_pair">127.0.1.1:8094</s:key>
<s:key name="is_searchable">1</s:key>
<s:key name="label">s2p1</s:key>
<s:key name="last_heartbeat">1397762227</s:key>
<s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
<s:key name="pending_job_count">0</s:key>
<s:key name="primary_count">7</s:key>
<s:key name="primary_count_remote">2</s:key>
<s:key name="replication_count">0</s:key>
<s:key name="replication_port">9903</s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="search_state_counter">
<s:dict>
<s:key name="PendingSearchable">0</s:key>
<s:key name="Searchable">10</s:key>
<s:key name="SearchablePendingMask">0</s:key>
<s:key name="Unsearchable">3</s:key>
</s:dict>
</s:key>
<s:key name="site">site2</s:key>
<s:key name="status">Up</s:key>
<s:key name="status_counter">
<s:dict>
<s:key name="Complete">6</s:key>
<s:key name="NonStreamingTarget">0</s:key>
<s:key name="StreamingSource">2</s:key>
<s:key name="StreamingTarget">5</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermasterpeers</title>
<id>https://localhost:8089/services/cluster/master/peers</id>
<updated>2014-04-17T19:18:19+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/master/peers/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>29F9560E-A44A-425C-8753-1C6158B46C84</title>
<id>https://localhost:8089/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84</id>
<updated>2014-04-17T19:18:19+00:00</updated>
<link href="/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="list"/>
<link href="/services/cluster/master/peers/29F9560E-A44A-425C-8753-1C6158B46C84" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="active_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
<s:key name="apply_bundle_status">
<s:dict>
<s:key name="invalid_bundle">
<s:dict>
<s:key name="bundle_validation_errors">
<s:list/>
</s:key>
<s:key name="invalid_bundle_id"></s:key>
</s:dict>
</s:key>
<s:key name="reload_error"></s:key>
<s:key name="restart_required_for_apply_bundle">0</s:key>
</s:dict>
</s:key>
<s:key name="base_generation_id">3</s:key>
<s:key name="bucket_count">11</s:key>
<s:key name="bucket_count_by_index">
<s:dict>
<s:key name="_audit">6</s:key>
<s:key name="_internal">5</s:key>
</s:dict>
</s:key>
<s:key name="delayed_buckets_to_discard">
<s:list/>
</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="eai:attributes">
... elided ...
</s:key>
<s:key name="fixup_set">
<s:list/>
</s:key>
<s:key name="heartbeat_started">1</s:key>
<s:key name="host_port_pair">127.0.1.1:8092</s:key>
<s:key name="is_searchable">1</s:key>
<s:key name="label">s1p3</s:key>
<s:key name="last_heartbeat">1397762298</s:key>
<s:key name="latest_bundle_id">4708B74780A1E5101449548B1E103616</s:key>
<s:key name="pending_job_count">0</s:key>
<s:key name="primary_count">6</s:key>
<s:key name="primary_count_remote">2</s:key>
<s:key name="replication_count">0</s:key>
<s:key name="replication_port">9902</s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="search_state_counter">
<s:dict>
<s:key name="PendingSearchable">0</s:key>
<s:key name="Searchable">8</s:key>
<s:key name="SearchablePendingMask">0</s:key>
<s:key name="Unsearchable">3</s:key>
</s:dict>
</s:key>
<s:key name="site">site1</s:key>
<s:key name="status">Up</s:key>
<s:key name="status_counter">
<s:dict>
<s:key name="Complete">6</s:key>
<s:key name="NonStreamingTarget">0</s:key>
<s:key name="StreamingSource">2</s:key>
<s:key name="StreamingTarget">3</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/sites
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastersites</title>
<id>https://localhost:8089/services/cluster/master/sites</id>
<updated>2014-04-17T19:12:15+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>site1</title>
<id>https://localhost:8089/services/cluster/master/sites/site1</id>
<updated>2014-04-17T19:12:15+00:00</updated>
<link href="/services/cluster/master/sites/site1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/sites/site1" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="peers">
<s:dict>
<s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8092</s:key>
<s:key name="server_name">s1p3</s:key>
</s:dict>
</s:key>
<s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8091</s:key>
<s:key name="server_name">s1p2</s:key>
</s:dict>
</s:key>
<s:key name="76C88808-2727-42B4-8C05-72DC44630FE4">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8090</s:key>
<s:key name="server_name">s1p1</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>site2</title>
<id>https://localhost:8089/services/cluster/master/sites/site2</id>
<updated>2014-04-17T19:12:15+00:00</updated>
<link href="/services/cluster/master/sites/site2" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/sites/site2" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="peers">
<s:dict>
<s:key name="238C3311-F0A4-4A9B-97F0-53667CFFEEAB">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8096</s:key>
<s:key name="server_name">s2p3</s:key>
</s:dict>
</s:key>
<s:key name="C878FADC-513D-4BDD-BA48-F25BB82FE565">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8095</s:key>
<s:key name="server_name">s2p2</s:key>
</s:dict>
</s:key>
<s:key name="E4B2C5E4-0961-4F3A-A5F7-C3A4BB6B518C">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8094</s:key>
<s:key name="server_name">s2p1</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/master/sites/site1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustermastersites</title>
<id>https://localhost:8089/services/cluster/master/sites</id>
<updated>2014-04-17T19:13:07+00:00</updated>
<generator build="204899" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>site1</title>
<id>https://localhost:8089/services/cluster/master/sites/site1</id>
<updated>2014-04-17T19:13:07+00:00</updated>
<link href="/services/cluster/master/sites/site1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/master/sites/site1" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="eai:attributes">
... elided ...
</s:key>
<s:key name="peers">
<s:dict>
<s:key name="29F9560E-A44A-425C-8753-1C6158B46C84">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8092</s:key>
<s:key name="server_name">s1p3</s:key>
</s:dict>
</s:key>
<s:key name="61666763-43E9-411B-9464-D80A5119EF0E">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8091</s:key>
<s:key name="server_name">s1p2</s:key>
</s:dict>
</s:key>
<s:key name="76C88808-2727-42B4-8C05-72DC44630FE4">
<s:dict>
<s:key name="host_port_pair">127.0.1.1:8090</s:key>
<s:key name="server_name">s1p1</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustersearchheadgeneration</title>
<id>https://localhost:8089/services/cluster/searchhead/generation</id>
<updated>2012-09-05T11:13:45-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>master</title>
<id>https://localhost:8089/services/cluster/searchhead/generation/master</id>
<updated>2012-09-05T11:13:45-07:00</updated>
<link href="/services/cluster/searchhead/generation/master" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/searchhead/generation/master" rel="list"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="generation_id">2</s:key>
<s:key name="generation_peers">
<s:dict>
<s:key name="2AF11DD4-1424-4A14-A522-FB9D055E9516">
<s:dict>
<s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8389</s:key>
<s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
</s:dict>
</s:key>
<s:key name="50FCDB42-E167-458D-A6A9-E4587E8F16D9">
<s:dict>
<s:key name="host_port_pair">splunks-ombra.sv.splunk.com:8189</s:key>
<s:key name="peer">splunks-ombra.sv.splunk.com</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/generation/https%3A%252F%252Fmyserver-mbp15.sv.splunk.com%3A8989
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustersearchheadgeneration</title>
<id>https://localhost:53791/services/cluster/searchhead/generation</id>
<updated>2012-09-07T14:11:59-07:00</updated>
<generator build="136859" version="20120906"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>https://ronnie.splunk.com:53112</title>
<id>https://localhost:53791/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112</id>
<updated>2012-09-07T14:11:59-07:00</updated>
<link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/searchhead/generation/https%3A%252F%252Fronnie.splunk.com%3A53112" rel="list"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="generation_id">3</s:key>
<s:key name="generation_peers">
<s:dict>
<s:key name="33333333-3333-3333-3333-333333333333">
<s:dict>
<s:key name="host_port_pair">10.1.42.3:53309</s:key>
<s:key name="peer">peer3</s:key>
</s:dict>
</s:key>
<s:key name="44444444-4444-4444-4444-444444444444">
<s:dict>
<s:key name="host_port_pair">10.1.42.3:53411</s:key>
<s:key name="peer">peer4</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/cluster/searchhead/searchheadconfig
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustersearchheadconfig</title>
<id>https://localhost:8089/services/cluster/searchhead/searchheadconfig</id>
<updated>2013-10-31T14:04:45-07:00</updated>
<generator build="184661" version="20131030"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
<link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>https://localhost:4567</title>
<id>https://myserver:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
<updated>2013-10-31T14:04:45-07:00</updated>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="master_uri">https://localhost:4567</s:key>
<s:key name="secret">********</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://myserver:8089/services/cluster/searchhead/searchheadconfig -d name=https://myserver:4567 -d secret=testsecret
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustersearchheadconfig</title>
<id>https://localhost:8089/services/cluster/searchhead/searchheadconfig</id>
<updated>2013-10-31T14:04:45-07:00</updated>
<generator build="184661" version="20131030"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
<link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>https://localhost:4567</title>
<id>https://myserver:8089/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
<updated>2013-10-31T14:04:45-07:00</updated>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="master_uri">https://localhost:4567</s:key>
<s:key name="secret">********</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Fmyserver%3A8211
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustersearchheadconfig</title>
<id>https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig</id>
<updated>2013-11-05T14:34:42-08:00</updated>
<generator build="184986" version="20131101"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
<link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://myserver.splunk.com:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clustersearchheadconfig</title>
<id>https://myserver.splunk.com:8089/services/cluster/searchhead/searchheadconfig</id>
<updated>2013-11-05T14:43:00-08:00</updated>
<generator build="184986" version="20131101"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/_new" rel="create"/>
<link href="/services/cluster/searchhead/searchheadconfig/_reload" rel="_reload"/>
... openserch nodes elided ...
<s:messages/>
<entry>
<title>https://localhost:4567</title>
<id>https://myserver.splunk.com:7588/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567</id>
<updated>2013-11-05T14:43:00-08:00</updated>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="list"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567/_reload" rel="_reload"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="edit"/>
<link href="/services/cluster/searchhead/searchheadconfig/https%3A%252F%252Flocalhost%3A4567" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>master_uri</s:item>
<s:item>secret</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="master_uri">https://localhost:4567</s:key>
<s:key name="secret">********</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/cluster/slave/buckets
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clusterslavebuckets</title>
<id>https://localhost:8189/services/cluster/slave/buckets</id>
<updated>2012-09-05T12:29:42-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</title>
<id>https://localhost:8189/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516</id>
<updated>2012-09-05T12:29:42-07:00</updated>
<link href="/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/slave/buckets/_audit~0~2AF11DD4-1424-4A14-A522-FB9D055E9516" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum"></s:key>
... eai:acl node elided ...
<s:key name="earliest_time">1346859162</s:key>
<s:key name="generations">
<s:dict>
<s:key name="0">0x0</s:key>
</s:dict>
</s:key>
<s:key name="latest_time">1346859257</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</content>
</entry>
. . . elided ...
</feed>
curl -k -u admin:pass --request DELETE https://myserver:8089/services/cluster/slave/buckets/_internal~58~11111111-1111-1111-1111-111111111111 -d bucket_id="_internal~58~11111111-1111-1111-1111-111111111111"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clusterslavebuckets</title>
<id>https://myserver:8089/services/cluster/slave/buckets</id>
<updated>2013-10-31T14:48:18-07:00</updated>
<generator build="184661" version="20131030"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8189/services/cluster/slave/buckets/_audit~0~B8B5E5C6-DB26-4952-AFB1-C5EFEFFFEA31
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clusterslavebuckets</title>
<id>https://localhost:8189/services/cluster/slave/buckets</id>
<updated>2012-09-05T12:40:43-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</title>
<id>https://localhost:8189/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9</id>
<updated>2012-09-05T12:40:43-07:00</updated>
<link href="/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/slave/buckets/_internal~1~50FCDB42-E167-458D-A6A9-E4587E8F16D9" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum"></s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="earliest_time">0</s:key>
<s:key name="generations">
<s:dict>
<s:key name="0">0xffffffffffffffff</s:key>
</s:dict>
</s:key>
<s:key name="latest_time">0</s:key>
<s:key name="search_state">Searchable</s:key>
<s:key name="status">StreamingSource</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/cluster/slave/info
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>clusterslaveinfo</title>
<id>https://localhost:8189/services/cluster/slave/info</id>
<updated>2012-09-05T12:45:59-07:00</updated>
<generator build="136169" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>slave</title>
<id>https://localhost:8189/services/cluster/slave/info/slave</id>
<updated>2012-09-05T12:45:59-07:00</updated>
<link href="/services/cluster/slave/info/slave" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/cluster/slave/info/slave" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="active_bundle">
<s:dict>
<s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
<s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
<s:key name="timestamp">1346858928</s:key>
</s:dict>
</s:key>
<s:key name="base_generation_id">2</s:key>
... eai:acl node elided ...
<s:key name="invalid_bundle_ids">
<s:list/>
</s:key>
<s:key name="is_registered">1</s:key>
<s:key name="last_heartbeat_attempt">1346874358</s:key>
<s:key name="latest_bundle">
<s:dict>
<s:key name="bundle_path">/Applications/splunk-peer/var/run/splunk/cluster/remote-bundle/0f6078895127ab1f715ee78a6e1ff8a1-1346858928.bundle</s:key>
<s:key name="checksum">36a883f4d47af66f78531ef474349b59</s:key>
<s:key name="timestamp">1346858928</s:key>
</s:dict>
</s:key>
<s:key name="restart_state">NoRestart</s:key>
<s:key name="status">Up</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/artifacts
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustercaptainartifacts</title>
<id>https://localhost:8089/services/shcluster/captain/artifacts</id>
<updated>2014-10-15T08:44:41-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/shcluster/captain/artifacts/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:44:41-07:00</updated>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="artifact_size">282624</s:key>
... eai:acl node elided ...
<s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="peers">
<s:dict>
<s:key name="88888888-8888-8888-8888-888888888888">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
<s:key name="99999999-9999-9999-9999-999999999999">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:44:41-07:00</updated>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="artifact_size">282624</s:key>
... eai:acl node elided ...
<s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="peers">
<s:dict>
<s:key name="88888888-8888-8888-8888-888888888888">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
<s:key name="99999999-9999-9999-9999-999999999999">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:44:41-07:00</updated>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="artifact_size">253952</s:key>
... eai:acl node elided ...
<s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="peers">
<s:dict>
<s:key name="88888888-8888-8888-8888-888888888888">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
<s:key name="99999999-9999-9999-9999-999999999999">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387300_288_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:44:41-07:00</updated>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/captain/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="artifact_size">253952</s:key>
... eai:acl node elided ...
<s:key name="origin_guid">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="peers">
<s:dict>
<s:key name="88888888-8888-8888-8888-888888888888">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/searchhead/var/run/splunk/dispatch/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
<s:key name="99999999-9999-9999-9999-999999999999">
<s:dict>
<s:key name="directory_path">/home/svasan/splunk/dash/var/run/splunk/dispatch/rsa_scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387600_289_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="status">Complete</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="service_after_time">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/artifacts/{name}
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/info
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustercaptaininfo</title>
<id>https://localhost:8089/services/shcluster/captain/info</id>
<updated>2014-10-15T08:45:25-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>captain</title>
<id>https://localhost:8089/services/shcluster/captain/info/captain</id>
<updated>2014-10-15T08:45:25-07:00</updated>
<link href="/services/shcluster/captain/info/captain" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/info/captain" rel="list"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="elected_captain">1413307273</s:key>
<s:key name="id">BB3116C0-73B9-459A-B473-254A18A69776</s:key>
<s:key name="initialized_flag">1</s:key>
<s:key name="label">searchhead</s:key>
<s:key name="maintenance_mode">0</s:key>
<s:key name="min_peers_joined_flag">1</s:key>
<s:key name="peer_scheme_host_port">https://localhost:55569</s:key>
<s:key name="rolling_restart_flag">0</s:key>
<s:key name="service_ready_flag">1</s:key>
<s:key name="start_time">1413307203</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/jobs
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustercaptainjobs</title>
<id>https://localhost:8089/services/shcluster/captain/jobs</id>
<updated>2014-10-15T08:47:50-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/shcluster/captain/jobs/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>savedsearch_Alert - syslog errors last hour_1087026166</title>
<id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166</id>
<updated>2014-10-15T08:47:50-07:00</updated>
<link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_1087026166" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="ATTEMPT_1">
<s:dict>
<s:key name="dispatch_time">1413363600</s:key>
<s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Application does not exist: SA-nix</msg>
</messages>
</response>
'</s:key>
<s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
<s:key name="sid">NO_SID_RECEIVED_YET</s:key>
<s:key name="success">0</s:key>
</s:dict>
</s:key>
<s:key name="ATTEMPT_2">
<s:dict>
<s:key name="dispatch_time">1413363600</s:key>
<s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="sid">scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413363600_203_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="success">1</s:key>
</s:dict>
</s:key>
... eai:acl node elided ...
<s:key name="job_state">COMPLETED</s:key>
<s:key name="saved_search">Alert - syslog errors last hour</s:key>
<s:key name="savedsearchtype">savedsearch</s:key>
<s:key name="search_app">SA-nix</s:key>
<s:key name="search_owner">admin</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>savedsearch_Alert - syslog errors last hour_11648853</title>
<id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853</id>
<updated>2014-10-15T08:47:50-07:00</updated>
<link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/jobs/savedsearch_Alert%20-%20syslog%20errors%20last%20hour_11648853" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="ATTEMPT_1">
<s:dict>
<s:key name="dispatch_time">1413316800</s:key>
<s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Application does not exist: SA-nix</msg>
</messages>
</response>
'</s:key>
<s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
<s:key name="sid">NO_SID_RECEIVED_YET</s:key>
<s:key name="success">0</s:key>
</s:dict>
</s:key>
<s:key name="ATTEMPT_2">
<s:dict>
<s:key name="dispatch_time">1413316800</s:key>
<s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="sid">scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413316800_34_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="success">1</s:key>
</s:dict>
</s:key>
... eai:acl node elided ...
<s:key name="job_state">COMPLETED</s:key>
<s:key name="saved_search">Alert - syslog errors last hour</s:key>
<s:key name="savedsearchtype">savedsearch</s:key>
<s:key name="search_app">SA-nix</s:key>
<s:key name="search_owner">admin</s:key>
</s:dict>
</content>
</entry>
.
.
.
<entry>
<title>savedsearch_fired_alerts_1050236433</title>
<id>https://localhost:8089/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433</id>
<updated>2014-10-15T08:47:50-07:00</updated>
<link href="/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/jobs/savedsearch_fired_alerts_1050236433" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="ATTEMPT_1">
<s:dict>
<s:key name="dispatch_time">1413308100</s:key>
<s:key name="errormsg">error response peer=https://wimpy.splunk.com:55560 rc=404 reason='<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">Application does not exist: SA-nix</msg>
</messages>
</response>
'</s:key>
<s:key name="peer">99999999-9999-9999-9999-999999999999</s:key>
<s:key name="sid">NO_SID_RECEIVED_YET</s:key>
<s:key name="success">0</s:key>
</s:dict>
</s:key>
<s:key name="ATTEMPT_2">
<s:dict>
<s:key name="dispatch_time">1413308100</s:key>
<s:key name="peer">88888888-8888-8888-8888-888888888888</s:key>
<s:key name="sid">scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413308100_2_88888888-8888-8888-8888-888888888888</s:key>
<s:key name="success">1</s:key>
</s:dict>
</s:key>
... eai:acl node elided ...
<s:key name="job_state">COMPLETED</s:key>
<s:key name="saved_search">fired_alerts</s:key>
<s:key name="savedsearchtype">savedsearch</s:key>
<s:key name="search_app">SA-nix</s:key>
<s:key name="search_owner">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/jobs/{name}
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/members
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustercaptainmembers</title>
<id>https://localhost:8089/services/shcluster/captain/members</id>
<updated>2014-10-15T08:49:34-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/shcluster/captain/members/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:49:34-07:00</updated>
<link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/captain/members/88888888-8888-8888-8888-888888888888" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="adhoc_searchhead">0</s:key>
<s:key name="advertise_restart_required">0</s:key>
<s:key name="artifact_count">4</s:key>
<s:key name="delayed_artifacts_to_discard">
<s:list/>
</s:key>
... eai:acl node elided ...
<s:key name="fixup_set">
<s:list/>
</s:key>
<s:key name="host_port_pair">localhost:8089</s:key>
<s:key name="kv_store_host_port">?</s:key>
<s:key name="label">searchhead</s:key>
<s:key name="last_heartbeat">1413388171</s:key>
<s:key name="peer_scheme_host_port">https://localhost:8089</s:key>
<s:key name="pending_job_count">0</s:key>
<s:key name="replication_count">0</s:key>
<s:key name="replication_port">3456</s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="site">site2</s:key>
<s:key name="status">Up</s:key>
<s:key name="status_counter">
<s:dict>
<s:key name="Complete">4</s:key>
<s:key name="PendingDiscard">0</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>99999999-9999-9999-9999-999999999999</title>
<id>https://localhost:8089/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999</id>
<updated>2014-10-15T08:49:34-07:00</updated>
<link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="list"/>
<link href="/services/shcluster/captain/members/99999999-9999-9999-9999-999999999999" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="adhoc_searchhead">0</s:key>
<s:key name="advertise_restart_required">0</s:key>
<s:key name="artifact_count">4</s:key>
<s:key name="delayed_artifacts_to_discard">
<s:list/>
</s:key>
... eai:acl node elided ...
<s:key name="fixup_set">
<s:list/>
</s:key>
<s:key name="host_port_pair">wimpy.splunk.com:55560</s:key>
<s:key name="kv_store_host_port">?</s:key>
<s:key name="label">master</s:key>
<s:key name="last_heartbeat">1413388171</s:key>
<s:key name="peer_scheme_host_port">https://wimpy.splunk.com:55560</s:key>
<s:key name="pending_job_count">0</s:key>
<s:key name="replication_count">0</s:key>
<s:key name="replication_port">55570</s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="site">site1</s:key>
<s:key name="status">Up</s:key>
<s:key name="status_counter">
<s:dict>
<s:key name="Complete">4</s:key>
<s:key name="NonStreamingTarget">0</s:key>
<s:key name="PendingDiscard">0</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/captain/members/{name}
curl -k -u admin:pass https://localhost:8189/services/shcluster/config
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclusterconfig</title>
<id>https://localhost:8089/services/shcluster/config</id>
<updated>2014-10-15T08:50:47-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/shcluster/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>config</title>
<id>https://localhost:8089/services/shcluster/config/config</id>
<updated>2014-10-15T08:50:47-07:00</updated>
<link href="/services/shcluster/config/config" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/config/config" rel="list"/>
<link href="/services/shcluster/config/config/_reload" rel="_reload"/>
<link href="/services/shcluster/config/config" rel="edit"/>
<link href="/services/shcluster/config/config/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="cxn_timeout">60</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="heartbeat_period">5</s:key>
<s:key name="heartbeat_timeout">60</s:key>
<s:key name="id">BB3116C0-73B9-459A-B473-254A18A69776</s:key>
<s:key name="max_peer_rep_load">5</s:key>
<s:key name="mode">dynamic_captain</s:key>
<s:key name="percent_peers_to_restart">10</s:key>
<s:key name="ping_flag">1</s:key>
<s:key name="quiet_period">60</s:key>
<s:key name="rcv_timeout">60</s:key>
<s:key name="register_replication_address"></s:key>
<s:key name="rep_cxn_timeout">60</s:key>
<s:key name="rep_max_rcv_timeout">600</s:key>
<s:key name="rep_max_send_timeout">600</s:key>
<s:key name="rep_rcv_timeout">60</s:key>
<s:key name="rep_send_timeout">60</s:key>
<s:key name="replication_factor">2</s:key>
<s:key name="replication_port">3456</s:key>
<s:key name="replication_use_ssl">0</s:key>
<s:key name="restart_timeout">60</s:key>
<s:key name="secret">********</s:key>
<s:key name="send_timeout">60</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/member/artifacts
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustermemberartifacts</title>
<id>https://localhost:8089/services/shcluster/member/artifacts</id>
<updated>2014-10-15T08:51:46-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:51:46-07:00</updated>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413381600_268_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="status">Complete</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:51:46-07:00</updated>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413385200_281_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="status">Complete</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:51:46-07:00</updated>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413387900_290_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="status">Complete</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888</title>
<id>https://localhost:8089/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-15T08:51:46-07:00</updated>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD5b9b800e209365567_at_1413388200_291_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="status">Complete</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustermemberartifacts</title>
<id>https://localhost:8089/services/shcluster/member/artifacts</id>
<updated>2014-10-16T22:33:37-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888</title>
<id>https://wimpy.splunk.com:55569/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888</id>
<updated>2014-10-16T22:33:37-07:00</updated>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="list"/>
<link href="/services/shcluster/member/artifacts/scheduler__admin_U0Etbml4__RMD592d31e53ed62579e_at_1413518400_762_88888888-8888-8888-8888-888888888888" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="status">Complete</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/member/consensus
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustermemberconsensus</title>
<id>https://localhost:8089/services/shcluster/member/consensus</id>
<updated>2014-10-15T08:52:28-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>shc_cluster_configuration</title>
<id>https://localhost:8089/services/shcluster/member/consensus/shc_cluster_configuration</id>
<updated>2014-10-15T08:52:28-07:00</updated>
<link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="list"/>
<link href="/services/shcluster/member/consensus/shc_cluster_configuration" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="configuration_id">4</s:key>
... eai:acl node elided ...
<s:key name="servers_list">https://localhost:55560,https://localhost:55569</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8189/services/shcluster/member/info
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>shclustermemberinfo</title>
<id>https://localhost:8089/services/shcluster/member/info</id>
<updated>2014-10-15T08:53:07-07:00</updated>
<generator build="235980" version="20141014"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>member</title>
<id>https://localhost:8089/services/shcluster/member/info/member</id>
<updated>2014-10-15T08:53:07-07:00</updated>
<link href="/services/shcluster/member/info/member" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/shcluster/member/info/member" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="adhoc_searchhead">0</s:key>
... eai:acl node elided ...
<s:key name="is_registered">1</s:key>
<s:key name="last_heartbeat_attempt">1413388386</s:key>
<s:key name="maintenance_mode">0</s:key>
<s:key name="peer_load_stats_gla_15m">3</s:key>
<s:key name="peer_load_stats_gla_1m">0</s:key>
<s:key name="peer_load_stats_gla_5m">1</s:key>
<s:key name="peer_load_stats_max_runtime">0.000000</s:key>
<s:key name="peer_load_stats_num_autosummary">0</s:key>
<s:key name="peer_load_stats_num_historical">0</s:key>
<s:key name="peer_load_stats_num_realtime">0</s:key>
<s:key name="peer_load_stats_num_running">0</s:key>
<s:key name="peer_load_stats_total_runtime">0.000000</s:key>
<s:key name="restart_state">NoRestart</s:key>
<s:key name="status">Up</s:key>
</s:dict>
</content>
</entry>
</feed>
Manage configuration files and settings.
https://<host>:<mPort>/services/configs/conf-{file}
Authentication: Not required
Access a configuration, .conf, file.
| Method | Description | Formats |
|---|---|---|
| GET | List {file} configuration file stanzas. | XML, JSON |
| POST | Add stanza to {file} configuration file. | XML, JSON |
configs/conf-{file} method detailPagination and filtering parameters can be used with this method.
None
configs/conf-{file} method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | Stanza name in {file} configuration file. | |
| <variable> | String | Arbritrary number of key/value pairs. |
None
[ Top ]
https://<host>:<mPort>/services/configs/conf-{file}/{stanza}
Authentication: Not required
Manage configuration file stanzas.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete {stanza} in {file} configuration file. | XML, JSON |
| GET | Get {stanza} in {file} configuration file. | XML, JSON |
| POST | Update or add property to {stanza} in {file} configuration file. | XML, JSON |
configs/conf-{file}/{stanza} method detailNone
None
configs/conf-{file}/{stanza} method detailNone
None
configs/conf-{file}/{stanza} method detail| Name | Type | Default | Description |
|---|---|---|---|
| <variable> | String | Arbitrary number of key/value pairs to update. |
None
[ Top ]
https://<host>:<mPort>/services/properties
Authentication: Not required
Manage configuration, .conf, files.
| Method | Description | Formats |
|---|---|---|
| GET | List all system and app configuration files. | XML, JSON |
| POST | Create a configuration file. | XML, JSON |
properties method detailNone
None
properties method detail| Name | Type | Default | Description |
|---|---|---|---|
| __conf required | String | Name of the configuration file to create. (Note double underscore prefix. |
None
The namespace specified in the URL determines where the configuration file is created. For example, /services/properties creates the file in the $SPLUNK_BASE/etc/system/local directory and servicesNS/nobody/search creates the file in the $SPLUNK_BASE/etc/apps/search/local directory.
[ Top ]
https://<host>:<mPort>/services/properties/{file}
Authentication: Not required
Access stanzas in specified configuration file.
| Method | Description | Formats |
|---|---|---|
| GET | List stanzas in {file} configuration file. | XML, JSON |
| POST | Add stanza to {file} configuration file. | XML, JSON |
properties/{file} method detailNone
None
The endpoint returns an <entry> for each stanza in addition to <default> stanzas.
The URL namespace determines the scope of visible stanzas. The endpoint returns all stanzas of the specified configuration file, for all configuration files and stanzas visible in the namespace.
properties/{file} method detail| Name | Type | Default | Description |
|---|---|---|---|
| __stanza required | String | The key/value pair of the stanza to add. Note double underscore prefix. |
None
[ Top ]
https://<host>:<mPort>/services/properties/{file}/{stanza}
Authentication: Not required
Access stanza key/value pair(s) of specified configuration file.
| Method | Description | Formats |
|---|---|---|
| GET | List {stanza} key/value pair(s) of {file} configuration file. | XML, JSON |
| POST | Add or update one or more key/value pair(s) in {stanza} of {file} configuration file. | XML, JSON |
properties/{file}/{stanza} method detailNone
None
Each <entry> is a {stanza} key with a <content> value.
The URL namespace determines the scope of visible stanzas. The endpoint returns all stanzas of the specified configuration file, for all configuration files and stanzas visible in the namespace.
properties/{file}/{stanza} method detail| Name | Type | Default | Description |
|---|---|---|---|
| <variable> required | String | One or more key/value pair(s). |
None
A response <message> indicates the update success or failure status.
[ Top ]
https://<host>:<mPort>/services/properties/{file}/{stanza}/{key}
Authentication: Not required
Access stanza key value of specified configuration file.
| Method | Description | Formats |
|---|---|---|
| GET | Get plaintext {key} value in {stanza} of {file} configuration file. | XML, JSON |
| POST | Update plaintext {key} value in {stanza} of {file} configuration file. | XML, JSON |
properties/{file}/{stanza}/{key} method detailNone
| Name | Description |
|---|---|
| <variable> | Plaintext value. |
properties/{file}/{stanza}/{key} method detail| Name | Type | Default | Description |
|---|---|---|---|
| <variable> required | String | Plaintext value. |
None
[ Top ]
curl -k -u admin:pass https://localhost:8089/services/configs/conf-props
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>conf-props</title>
<id>https://localhost:8089/services/configs/conf-props</id>
<updated>2011-07-08T01:01:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/configs/conf-props/_new" rel="create"/>
<link href="/services/configs/conf-props/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>(?i)source::....zip(.\d+)?</title>
<id>https://localhost:8089/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F</id>
<updated>2011-07-08T01:01:26-07:00</updated>
<link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="list"/>
<link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F" rel="edit"/>
<link href="/servicesNS/nobody/system/configs/conf-props/%28%3Fi%29source%3A%3A....zip%28.%5Cd%2B%29%3F/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="ANNOTATE_PUNCT">1</s:key>
<s:key name="BREAK_ONLY_BEFORE"/>
<s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
<s:key name="CHARSET">UTF-8</s:key>
<s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
<s:key name="HEADER_MODE"/>
<s:key name="LEARN_SOURCETYPE">1</s:key>
<s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
<s:key name="MAX_DAYS_AGO">2000</s:key>
<s:key name="MAX_DAYS_HENCE">2</s:key>
<s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
<s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
<s:key name="MAX_EVENTS">256</s:key>
<s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
<s:key name="MUST_BREAK_AFTER"/>
<s:key name="MUST_NOT_BREAK_AFTER"/>
<s:key name="MUST_NOT_BREAK_BEFORE"/>
<s:key name="NO_BINARY_CHECK">1</s:key>
<s:key name="SEGMENTATION">indexing</s:key>
<s:key name="SEGMENTATION-all">full</s:key>
<s:key name="SEGMENTATION-inner">inner</s:key>
<s:key name="SEGMENTATION-outer">outer</s:key>
<s:key name="SEGMENTATION-raw">none</s:key>
<s:key name="SEGMENTATION-standard">standard</s:key>
<s:key name="SHOULD_LINEMERGE">1</s:key>
<s:key name="TRANSFORMS"/>
<s:key name="TRUNCATE">10000</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="maxDist">100</s:key>
<s:key name="sourcetype">preprocess-zip</s:key>
<s:key name="unarchive_cmd">_auto</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props -d CHARSET=UTF-8
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>conf-props</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
<updated>2011-07-08T01:01:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
<link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>myweblogs</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs</id>
<updated>2011-07-08T01:01:26-07:00</updated>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="list"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="edit"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="remove"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/move" rel="move"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="ANNOTATE_PUNCT">1</s:key>
<s:key name="BREAK_ONLY_BEFORE"/>
<s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
<s:key name="CHARSET">UTF-8</s:key>
<s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
<s:key name="HEADER_MODE"/>
<s:key name="LEARN_SOURCETYPE">1</s:key>
<s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
<s:key name="MAX_DAYS_AGO">2000</s:key>
<s:key name="MAX_DAYS_HENCE">2</s:key>
<s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
<s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
<s:key name="MAX_EVENTS">256</s:key>
<s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
<s:key name="MUST_BREAK_AFTER"/>
<s:key name="MUST_NOT_BREAK_AFTER"/>
<s:key name="MUST_NOT_BREAK_BEFORE"/>
<s:key name="SEGMENTATION">indexing</s:key>
<s:key name="SEGMENTATION-all">full</s:key>
<s:key name="SEGMENTATION-inner">inner</s:key>
<s:key name="SEGMENTATION-outer">outer</s:key>
<s:key name="SEGMENTATION-raw">none</s:key>
<s:key name="SEGMENTATION-standard">standard</s:key>
<s:key name="SHOULD_LINEMERGE">0</s:key>
<s:key name="TRANSFORMS"/>
<s:key name="TRUNCATE">10000</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="maxDist">100</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>conf-props</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
<updated>2011-07-08T01:01:27-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
<link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>conf-eventtypes</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes</id>
<updated>2014-07-01T13:08:45-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/_new" rel="create"/>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>splunkd_message</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message</id>
<updated>2014-07-01T13:08:45-07:00</updated>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="list"/>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="edit"/>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message" rel="remove"/>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/move" rel="move"/>
<link href="/servicesNS/nobody/search/configs/conf-eventtypes/splunkd_message/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CHARSET">UTF-8</s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">admin</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">1</s:key>
<s:key name="sharing">global</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>.*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="priority">1</s:key>
<s:key name="search"></s:key>
<s:key name="tags"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs -d SHOULD_LINEMERGE=true
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>conf-props</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props</id>
<updated>2011-07-08T01:01:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-props/_new" rel="create"/>
<link href="/servicesNS/nobody/search/configs/conf-props/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>myweblogs</title>
<id>https://localhost:8089/servicesNS/nobody/search/configs/conf-props/myweblogs</id>
<updated>2011-07-08T01:01:26-07:00</updated>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="list"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="edit"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs" rel="remove"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/move" rel="move"/>
<link href="/servicesNS/nobody/search/configs/conf-props/myweblogs/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="ANNOTATE_PUNCT">1</s:key>
<s:key name="BREAK_ONLY_BEFORE"/>
<s:key name="BREAK_ONLY_BEFORE_DATE">1</s:key>
<s:key name="CHARSET">UTF-8</s:key>
<s:key name="DATETIME_CONFIG">/etc/datetime.xml</s:key>
<s:key name="HEADER_MODE"/>
<s:key name="LEARN_SOURCETYPE">1</s:key>
<s:key name="LINE_BREAKER_LOOKBEHIND">100</s:key>
<s:key name="MAX_DAYS_AGO">2000</s:key>
<s:key name="MAX_DAYS_HENCE">2</s:key>
<s:key name="MAX_DIFF_SECS_AGO">3600</s:key>
<s:key name="MAX_DIFF_SECS_HENCE">604800</s:key>
<s:key name="MAX_EVENTS">256</s:key>
<s:key name="MAX_TIMESTAMP_LOOKAHEAD">128</s:key>
<s:key name="MUST_BREAK_AFTER"/>
<s:key name="MUST_NOT_BREAK_AFTER"/>
<s:key name="MUST_NOT_BREAK_BEFORE"/>
<s:key name="SEGMENTATION">indexing</s:key>
<s:key name="SEGMENTATION-all">full</s:key>
<s:key name="SEGMENTATION-inner">inner</s:key>
<s:key name="SEGMENTATION-outer">outer</s:key>
<s:key name="SEGMENTATION-raw">none</s:key>
<s:key name="SEGMENTATION-standard">standard</s:key>
<s:key name="SHOULD_LINEMERGE">1</s:key>
<s:key name="TRANSFORMS"/>
<s:key name="TRUNCATE">10000</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl nodes elided for brevity. -->
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="maxDist">100</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/properties
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>properties</title>
<id>https://localhost:8089/services/properties</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>alert_actions</title>
<id>https://localhost:8089/services/properties/alert_actions</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<link href="/services/properties/alert_actions" rel="alternate"/>
</entry>
<entry>
<title>app</title>
<id>https://localhost:8089/services/properties/app</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<link href="/services/properties/app" rel="alternate"/>
</entry>
<entry>
<title>audit</title>
<id>https://localhost:8089/services/properties/audit</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<link href="/services/properties/audit" rel="alternate"/>
</entry>
.
.
.
elided
.
.
.
<entry>
<title>viewstates</title>
<id>https://localhost:8089/services/properties/viewstates</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<link href="/services/properties/viewstates" rel="alternate"/>
</entry>
<entry>
<title>web</title>
<id>https://localhost:8089/services/properties/web</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<link href="/services/properties/web" rel="alternate"/>
</entry>
<entry>
<title>workflow_actions</title>
<id>https://localhost:8089/services/properties/workflow_actions</id>
<updated>2014-07-01T13:17:36-07:00</updated>
<link href="/services/properties/workflow_actions" rel="alternate"/>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/properties -d __conf=myAppConfigFile
No response body.
Returns: HTTP status = 201 (created)
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/eventtypes
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>default</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/default</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<link href="/servicesNS/nobody/search/properties/eventtypes/default" rel="alternate"/>
</entry>
<entry>
<title>internal_search_terms</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/internal_search_terms</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<link href="/servicesNS/nobody/search/properties/eventtypes/internal_search_terms" rel="alternate"/>
</entry>
<entry>
<title>proxylogs</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/proxylogs</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<link href="/servicesNS/nobody/search/properties/eventtypes/proxylogs" rel="alternate"/>
</entry>
<entry>
<title>splunkd-access</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd-access</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<link href="/servicesNS/nobody/search/properties/eventtypes/splunkd-access" rel="alternate"/>
</entry>
<entry>
<title>splunkd-log</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd-log</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<link href="/servicesNS/nobody/search/properties/eventtypes/splunkd-log" rel="alternate"/>
</entry>
<entry>
<title>splunkd_message</title>
<id>https://localhost:8089/servicesNS/nobody/search/properties/eventtypes/splunkd_message</id>
<updated>2014-07-17T10:24:53-07:00</updated>
<link href="/servicesNS/nobody/search/properties/eventtypes/splunkd_message" rel="alternate"/>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/properties/eventtypes -d __stanza=proxylogs
No data returned in body.
Returns: HTTP status 201 (created)
curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>proxylogs</title>
<id>https://localhost:8089/services/properties/props/proxylogs</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>ANNOTATE_PUNCT</title>
<id>https://localhost:8089/services/properties/props/proxylogs/ANNOTATE_PUNCT</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<link href="/services/properties/props/proxylogs/ANNOTATE_PUNCT" rel="alternate"/>
<content type="text">True</content>
</entry>
<entry>
<title>BREAK_ONLY_BEFORE</title>
<id>https://localhost:8089/services/properties/props/proxylogs/BREAK_ONLY_BEFORE</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<link href="/services/properties/props/proxylogs/BREAK_ONLY_BEFORE" rel="alternate"/>
<content type="text"/>
</entry>
<entry>
<title>BREAK_ONLY_BEFORE_DATE</title>
<id>https://localhost:8089/services/properties/props/proxylogs/BREAK_ONLY_BEFORE_DATE</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<link href="/services/properties/props/proxylogs/BREAK_ONLY_BEFORE_DATE" rel="alternate"/>
<content type="text">True</content>
</entry>
.
.
.
elided
.
.
.
<entry>
<title>TRANSFORMS</title>
<id>https://localhost:8089/services/properties/props/proxylogs/TRANSFORMS</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<link href="/services/properties/props/proxylogs/TRANSFORMS" rel="alternate"/>
<content type="text"/>
</entry>
<entry>
<title>TRUNCATE</title>
<id>https://localhost:8089/services/properties/props/proxylogs/TRUNCATE</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<link href="/services/properties/props/proxylogs/TRUNCATE" rel="alternate"/>
<content type="text">10000</content>
</entry>
<entry>
<title>maxDist</title>
<id>https://localhost:8089/services/properties/props/proxylogs/maxDist</id>
<updated>2011-07-08T12:08:52-07:00</updated>
<link href="/services/properties/props/proxylogs/maxDist" rel="alternate"/>
<content type="text">100</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs -d NO_BINARY_CHECK=true -d CHARSET=UTF-8
<response>
<messages>
<msg type="INFO">Successfully modified 2 key(s)</msg>
</messages>
</response>
curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs/SHOULD_LINEMERGE
Returns: True
curl -k -u admin:pass https://localhost:8089/services/properties/props/proxylogs/SHOULD_LINEMERGE -d value=false
<response>
<messages>
<msg type="INFO">Successfully modified 1 key(s)</msg>
</messages>
</response>
Manage deployment servers and clients.
A deployment server configures a deployment client. Deployment clients and servers can reside on separate, distributed Splunk Enterprise instances or can both reside on the same instance.
https://<host>:<mPort>/services/deployment/client
Authentication: Not required
List deployment client configuration and status.
| Method | Description | Formats |
|---|---|---|
| GET | Get deployment client list with enabled status, server class, and host and port number of each. | XML, JSON |
deployment/client method detailPagination and filtering parameters can be used with this method.
For each deployment client:
| Name | Description |
|---|---|
| disabled | Disabled status: 0 = Enabled 1 = Disabled |
| serverClasses | List of member server classes for app download authorization. |
| targetUri | Host and port number (<host>:<port>). |
[ Top ]
https://<host>:<mPort>/services/deployment/client/config
Authentication: Not required
Get deployment client configuration and status.
| Method | Description | Formats |
|---|---|---|
| GET | Get deployment client enabled status, server class for app distribution, and host and port number. | XML, JSON |
deployment/client/config method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| disabled | Disabled status: 0 = Enabled 1 = Disabled |
| serverClasses | List of member server classes for app download authorization. |
| targetUri | Host and port number (<host>:<port>). |
[ Top ]
https://<host>:<mPort>/services/deployment/client/config/listIsDisabled
Authentication: Not required
Get deployment client status.
| Method | Description | Formats |
|---|---|---|
| GET | Get deployment client disabled status. | XML, JSON |
deployment/client/config/listIsDisabled method detailNone
| Name | Description |
|---|---|
| disabled | Disabled status: 0 = Enabled 1 = Disabled |
[ Top ]
https://<host>:<mPort>/services/deployment/client/{name}/reload
Authentication: Not required
Restart and reload {name} deployment client.
| Method | Description | Formats |
|---|---|---|
| POST | Restart {name} deployment client and reload configuration from disk. | XML, JSON |
deployment/client/{name}/reload method detailNone
| Name | Description |
|---|---|
| disabled | Disabled status: 0 = Enabled 1 = Disabled |
| serverClasses | List of member server classes for app download authorization. |
| targetUri | Host and port number (<host>:<port>). |
[ Top ]
https://<host>:<mPort>/services/deployment/server/applications
Authentication: Not required
Selectively list distributed apps.
| Method | Description | Formats |
|---|---|---|
| GET | Selectively list distributed apps, including distributed state information. | XML, JSON |
deployment/server/applications method detail| Name | Type | Default | Description |
|---|---|---|---|
| clientId | String | Select apps that match clientId. | |
| hasDeploymentError | Boolean | Select apps according to deployment fault status: 0 = Do not include apps with a deployment fault indication. 1 = Include apps with a deployment fault indication. |
Pagination and filtering parameters can be used with this method.
For each app listed:
| Name | Description |
|---|---|
| archive | Disk location of the archived version of the app. |
| clientId | Deployment client ID associated with the app, an MD5 hash value of serialized (catenated) client attributes. |
| hasDeploymentError | Indicates deployment fault status on at least one deployment client: 0 = Do not include apps with a deployment fault indication. 1 = Include apps with a deployment fault indication. |
| loadtime | Last deployment server app loaded or reloaded date and time. |
| restartSplunkWeb | Restart Splunk Web indication: 0 = Do not restart Splunk Web. 1 = Restart Splunk Web. |
| restartSplunkd | Restart splunkd indication: 0 = Do not restart splunkd. 1 = Restart splunkd. |
| serverclasses | List of server classes associated with the application. |
| size | Size on disk of the compressed app (bundle), in bytes. |
| stateOnClient | App enablement status: 0 = Not enabled. 1 = Enabled. |
An application not mapped to serverclasses is not loaded so loadtime is 0.
[ Top ]
https://<host>:<mPort>/services/deployment/server/applications/{name}
Authentication: Not required
Get or update distribution information for {name} app.
| Method | Description | Formats |
|---|---|---|
| GET | Get {name} app distribution information. | XML, JSON |
| POST | Update {name} app distribution information. | XML, JSON |
deployment/server/applications/{name} method detailNone
| Name | Description |
|---|---|
| Attribute | Description |
| archive | Disk location of archived version of the app. |
| clientId | Deployment client ID associated with the app, an MD5 hash value of serialized (catenated) client attributes. |
| hasDeploymentError | Indicates deployment fault status on at least one deployment client: 0 = Do not include apps with a deployment fault indication. 1 = Include apps with a deployment fault indication. |
| loadtime | Last deployment server app loaded or reloaded date and time. |
| restartSplunkWeb | Restart Splunk Web indication: 0 = Do not restart Splunk Web. 1 = Restart Splunk Web. |
| restartSplunkd | Restart splunkd indication: 0 = Do not restart splunkd. 1 = Restart splunkd. |
| serverclasses | List of server classes associated with the application. |
| size | Size on disk of the compressed app (bundle), in bytes. |
| stateOnClient | App enablement status: 0 = Not enabled. 1 = Enabled. |
An application not mapped to serverclasses is not loaded so loadtime is 0.
deployment/server/applications/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| blacklist.* | String | List of hosts to exclude when mapping application to a server class. For each blacklist, replace the wildcard (*) with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive. | |
| continueMatching | Boolean | Configuration layering indication, across classes and server-specific settings: true = [Default] Configuration lookups continue matching server classes after the first match. false = Use the first match, only. | |
| deinstall | Boolean | Remove mapping indication: true = Remove mapping of {name} from all server classes and delete it from client target repositories. false = Do not remove mapping of {name}. | |
| filterType | Enum | Filter execution order: whitelist = Whitelist filters are applied before blacklist filters. blacklist = Blacklist filters are applied before whitelist filters. | |
| machineTypesFilter | String | Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.
Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included. Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter. The patterns are PCRE regular expressions, with the following aids for easier entry:
| |
| repositoryLocation | String | The location on the deployment server to store the content that is to be deployed for this server class.
For example: $SPLUNK_HOME/etc/deployment-apps | |
| restartSplunkWeb | Boolean | Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.
Defaults to false | |
| restartSplunkd | Boolean | Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.
Defaults to false | |
| serverclass | String | The name of the server class to which the application is mapped.
Do not specify this parameter if | |
| stateOnClient | Enum | Valid values are (enabled | disabled | noop).
| |
| targetRepositoryLocation | String | The location on the deployment client to install the apps defined for this Deployment Server.
If unset, or set to empty, the repositoryLocation path is used. That is, defaults to: $SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk Enterprise instance) Useful only with complex (for example, tiered) deployment strategies. | |
| tmpFolder | String | Working folder used by deployment server.
Defaults to $SPLUNK_HOME/var/run/tmp | |
| unmap | Boolean | Indicates whether to remove the mapping of the application to the specified server class. | |
| whitelist.* | String | List of hosts to accept for this server class.
For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive. |
| Name | Description |
|---|---|
| archive | Specifies the location of the compressed version (bundle) of the app. |
| blacklist.* | Regular expressions used to exclude, when mapping this application to a client.
If a client matches any of the blacklist regular expressions, it does not receive the application. The * is replaced by an integral ordinal number. |
| continueMatching | If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. |
| filterType | blacklist)
Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters. See description for the filterType POST parameter for more information. |
| loadtime | Specifies the date and time the application was last loaded (or reloaded) by the deployment server.
An application not mapped to any serverclasses does not get loaded, thus its loadtime attribute is 0; in epoch terms, which is 01 Jan 1970 at midnight GMT. |
| machineTypesFilter | List of filters to be used in Boolean and logic with whitelist and blacklist filters. |
| repositoryLocation | The location on the deployment server to store the content that is to be deployed for this server class. |
| restartSplunkWeb | Indicates whether to restart Splunk Web. |
| restartSplunkd | Indicates whether to restart splunkd. |
| serverclass | The name of the server class to which the application is mapped. |
| serverclasses | List of server classes associated with the application. |
| size | Indicates in bytes the size on disk of the compressed version (bundle) of the application. |
| stateOnClient | Specifies whether the deployment client is enabled or disabled. |
| targetRepositoryLocation | The location on the deployment client to install the apps defined for this Deployment Server.
If unset, or set to empty, the repositoryLocation path is used. |
| tmpFolder | Working folder used by deployment server. |
| whitelist.* | Regular expressions used to accept, when mapping this application to a client.
If a client matches any of the whitelist regular expressions, it accepts the application. The * is replaced by an integral ordinal number. |
When continueMatching is true, matching is in the order in which server classes are defined.
The whitelist setting indicates a filtering strategy that includes a subset:
The blacklist setting indicates a filtering strategy that excludes a subset:
That is,
whitelist: default no-match -> whitelists enable -> blacklists disable
blacklist: default match -> blacklists disable-> whitelists enable
If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode.
[ Top ]
https://<host>:<mPort>/services/deployment/server/clients
Authentication: Not required
Provides access to information about clients to a deployment server.
| Method | Description | Formats |
|---|---|---|
| GET | Lists information about clients to a deployment server. | XML, JSON |
deployment/server/clients method detail| Name | Type | Default | Description |
|---|---|---|---|
| application | String | Lists clients to the deployment server that have attempted to download the named application. | |
| hasDeploymentError | Boolean | False | Indicates whether to list only clients that have a deployment error. |
| maxPhonehome_latency_to_avgInterval_ratio | Number | List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter. | |
| minLatestPhonehomeTime | Number | Lists clients for which there is a phone home message at the specified time or later, in epoch seconds. That is, list the client for the following condition:
client latency ? (now?minLatestPhonehomeTime) | |
| minPhonehome_latency_to_avgInterval_ratio | Number | List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter. | |
| serverclasses | String | Comma-separated list of serverclasses. List clients that are configured to receive an application to a listed serverclass.
The match is a logical OR of, for each Si, include C if C is sent an app A that maps to Si in serverclass.conf, if such an app existed. The "would have" is per blacklist.n or whitelist.n/machineTypesFilter in serverclass.conf |
Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| applications | List of applications deployed to the deployment client. |
| averagePhoneHomeInterval | The average phone home interval, in seconds. |
| build | The build number for the instance of Splunk Enterprise on the deployment client. |
| dns | The DNS lookup name of the deployment client server. |
| guid | Identifier for the deployment server client. |
| hasDeploymentError | Specifies whether to check for clients with a deployment error. |
| hostname | The host name of the deployment client server. |
| id | ID for the client based on client name and IP address. |
| ip | The IP address of the client to the deployment server. |
| lastPhoneHomeTime | The last time the deployment client phones home to the deployment server, in epoch time. |
| mgmt | The managment port for the deployment client. |
| minLatestPhonehomeTime | Specifies in epoch seconds the minimum latency for a client to contact the deployment server. |
| minPhonehome_latency_to_avgInterval_ratio | The minimum value specified for the ratio of the phone home latency to the average phone home interval. |
| name | The name of the deployment client server. |
| serverclasses | List of server classes for the deployment client. |
| utsname | Machine type for the deployment server client. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/clients/countClients_by_machineType
Authentication: Not required
Access information about deployment clients to this server according to the machine type of the client.
| Method | Description | Formats |
|---|---|---|
| GET | Lists the count of deployment clients to this server by machine type. | XML, JSON |
deployment/server/clients/countClients_by_machineType method detailNone
| Name | Description |
|---|---|
| counts | The list of machine types for this deployment client, showing the count of each machine type. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/clients/countRecentDownloads
Authentication: Not required
Access the count of the number of downloads from this client to the deployment server during the last specified time period.
| Method | Description | Formats |
|---|---|---|
| GET | Return the count of the number of downloads from this client to the deployment server during the last specified time period. | XML, JSON |
deployment/server/clients/countRecentDownloads method detail| Name | Type | Default | Description |
|---|---|---|---|
| application | String | Count the number of downloads for clients that have attempted to download the named application. | |
| hasDeploymentError | Boolean | Indicates whether to count downloads for clients that have a deployment error. | |
| maxAgeSecs required | Number | Age of the downloads to count, in seconds. | |
| maxPhonehome_latency_to_avgInterval_ratio | Number | List the count of recent download by this client to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter | |
| minLatestPhonehomeTime | Number | Specifies in epoch seconds the minimum latency for a client to contact the deployment server. This endpoint lists the number of downloads for clients to the deployment server with a latency equal to or greater than specified by this parameter. | |
| minPhonehome_latency_to_avgInterval_ratio | Number | List the number of recent downloads by clients to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter. | |
| serverclasses | String | Comma-separated list of server classes. Lists the number of recent downloads by clients to the deployment server that are configured to send an application to a listed serverclass. |
| Name | Description |
|---|---|
| count | The number of recent downloads. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/clients/{name}
Authentication: Not required
Get client information or remove a client.
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the specified client from the deployment server registry. The next time the client "phones home" the record is re-created. | XML, JSON |
| GET | Lists information about the named client to the deployment server. | XML, JSON |
deployment/server/clients/{name} method detailNone
None
deployment/server/clients/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| application | String | Lists information about this client with respect to the named application. | |
| hasDeploymentError | Boolean | Indicates whether to list this client if has a deployment error. | |
| maxPhonehome_latency_to_avgInterval_ratio | Number | List clients to the deployment server when the ratio of the phone home latency to the average phone home interval is less than the value supplied to this parameter. | |
| minLatestPhonehomeTime | Number | Specifies in epoch seconds the minimum latency for a client to contact the deployment server. This endpoint lists information about the named client if it has a latency equal to or greater than specified by this parameter. | |
| minPhonehome_latency_to_avgInterval_ratio | Number | List information about the named client to the deployment server when the ratio of the phone home latency to the average phone home interval is greater than the value supplied with this parameter. | |
| serverclasses | String | Comma-separated list of serverclasses. Lists information about this client if it is configured to send an application to a listed serverclass. |
| Name | Description |
|---|---|
| application | The name of the application specified to filter the results of this call. |
| applications | List of applications deployed to the deployment client. |
| averagePhoneHomeInterval | The average phone home interval, in seconds. |
| build | The build number for the instance of Splunk Enterprise on the deployment client. |
| dns | The DNS lookup name of the deployment client server. |
| guid | Identifier for the deployment server client. |
| hasDeploymentError | Specifies whether to check for clients with a deployment error. |
| hostname | The host name of the deployment client server. |
| id | ID for the client based on client name and IP address. |
| ip | The IP address of the client to the deployment server. |
| lastPhoneHomeTime | The last time the deployment client phones home to the deployment server, in epoch time. |
| maxPhonehome_latency_to_avgInterval_ratio | The maximum value specified for the ratio of the phone home latency to the average phone home interval. |
| mgmt | The managment port for the deployment client. |
| minLatestPhonehomeTime | Specifies in epoch seconds the minimum latency for a client to contact the deployment server. |
| minPhonehome_latency_to_avgInterval_ratio | The minimum value specified for the ratio of the phone home latency to the average phone home interval. |
| name | The name of the deployment client server. |
| serverClasses | The list of server classes to which the client belongs. |
| serverclasses | List of server classes for the deployment client. |
| utsname | Machine type for the deployment server client. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/config
Authentication: Not required
Access server configuration information for deployment servers.
| Method | Description | Formats |
|---|---|---|
| GET | List configuration information for all deployment servers. | XML, JSON |
deployment/server/config method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| currentDownloads | The number of current downloads for this deployment server. |
| disabled | Indicates whether the deployment server is disabled. |
| loadTime | The time, in epoch seconds, the serverclass for this server was loaded. |
| repositoryLocation | The location on the deployment server to store the content that is to be deployed. |
| whitelist.0 | Lists the contents of whitelist.0. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/config/attributesUnsupportedInUI
Authentication: Not required
Access deployment server attriutes that cannot be configured from Splunk Web.
| Method | Description | Formats |
|---|---|---|
| GET | Lists deployment server attributes that cannot be configured from Splunk Web. | XML, JSON |
deployment/server/config/attributesUnsupportedInUI method detailNone
| Name | Description |
|---|---|
| property | The attribute that cannot be configured from Splunk Web. |
| reason | The reason an attribute cannot be configured from Splunk Web. |
| stanza | The stanza in serverclass.conf that lists deployment server attributes that cannot be configured from Splunk Web. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/config/listIsDisabled
Authentication: Not required
Access information as to whether the deployment server is enabled.
| Method | Description | Formats |
|---|---|---|
| GET | List whether the deployment server is disabled. | XML, JSON |
deployment/server/config/listIsDisabled method detailNone
| Name | Description |
|---|---|
| disabled | Indicates if the deployment server is disabled. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/serverclasses
Authentication: Not required
Access information about server classes.
| Method | Description | Formats |
|---|---|---|
| GET | List server classes for this deployment server. | XML, JSON |
| POST | Creates a server class. | XML, JSON |
deployment/server/serverclasses method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| blacklist-size | The number of entires in the blacklist for this serverclass. |
| clientId | ID of deployment client for this server class. |
| currentDownloads | Number of applications currently downloaded. |
| hasDeploymentError | Indicates whether the serverclass has at least one deployment error. |
| loadTime | The time, in epoch seconds, this serverclass was loaded. |
| machineTypesFilter | List of filters to be used in Boolean and logic with whitelist and blacklist filters. |
| repositoryList | List of applications stored at the location specified by repositoryLocation. |
| repositoryLocation | The location on the deployment server to store the content that is to be deployed for this server class. |
| restartSplunkWeb | Indicates whether to restart Splunk Web. |
| restartSplunkd | Indicates whether to restart splunkd. |
| stateOnClient | Indicates whether this server class is enabled or disabled. |
| whitelist-size | Specifies the number of entries in the whitelist for this server class. |
| whitelist.0 | List of servers for whitelist.0 for this server class. |
deployment/server/serverclasses method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The name of the server class. | |
| blacklist.* | String | List of hosts to exclude for this server class.
For each blacklist, replace * with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive. | |
| continueMatching | Boolen | Controls how configuration is layered across classes and server-specific settings.
If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. Matching is done in the order that server classes are defined. Defaults to true. A serverClass can override this property and stop the matching. | |
| filterType | Enum | Valid values: (whitelist | blacklist)
Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters. The whitelist setting indicates a filtering strategy that pulls in a subset:
The blacklist setting indicates a filtering strategy that rules out a subset:
More briefly: whitelist: default no-match -> whitelists enable -> blacklists disable If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode. | |
| machineTypesFilter | String | Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.
Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included. Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter. The patterns are PCRE regular expressions, with the following aids for easier entry:
| |
| repositoryLocation | String | The location on the deployment server to store the content that is to be deployed for this server class.
For example: $SPLUNK_HOME/etc/deployment-apps | |
| restartSplunkWeb | Boolean | Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.
Defaults to false | |
| restartSplunkd | Boolean | Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.
Defaults to false | |
| stateOnClient | Enum | Valid values are (enabled | disabled | noop).
| |
| targetRepositoryLocation | String | The location on the deployment client to install the apps defined for this Deployment Server.
If unset, or set to empty, the repositoryLocation path is used. That is, defaults to: $SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk instance Useful only with complex (for example, tiered) deployment strategies. | |
| tmpFolder | String | Working folder used by deployment server.
Defaults to $SPLUNK_HOME/var/run/tmp | |
| whitelist.* | String | List of hosts to accept for this server class.
For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive. |
| Name | Description |
|---|---|
| blacklist-size | The number of entries in the blacklist for this serverclass. |
| blacklist.* | Regular expressions used to exclude for this server class.
If a client matches any of the blacklist regular expressions, it is not included in the server class. The * is replaced by an integral ordinal number. |
| continueMatching | If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. |
| currentDownloads | Number of applications currently downloaded. |
| filterType | blacklist)
Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters. See description for the filterType POST parameter for more information. |
| loadTime | The time, in epoch seconds, this serverclass was loaded. |
| machineTypesFilter | List of filters to be used in Boolean and logic with whitelist and blacklist filters. |
| repositoryList | List of applications stored at the location specified by repositoryLocation. |
| repositoryLocation | The location on the deployment server to store the content that is to be deployed for this server class. |
| restartSplunkWeb | Indicates whether to restart Splunk Web. |
| restartSplunkd | Indicates whether to restart splunkd. |
| stateOnClient | Specifies whether the deployment client is enabled or disabled. |
| targetRepositoryLocation | The location on the deployment client to install the apps defined for this Deployment Server.
If unset, or set to empty, the repositoryLocation path is used. That is, defaults to: $SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk Enterprise instance. Useful only with complex (for example, tiered) deployment strategies. |
| tmpFolder | Working folder used by deployment server.
Defaults to $SPLUNK_HOME/var/run/tmp |
| whitelist-size | Specifies the number of entries in the whitelist for this server class. |
| whitelist.* | Regular expressions used to accept for this server class.
If a client matches any of the whitelist regular expressions, it is included in the server class. The * is replaced by an integral ordinal number. |
[ Top ]
https://<host>:<mPort>/services/deployment/server/serverclasses/rename
Authentication: Not required
Rename a server class.
| Method | Description | Formats |
|---|---|---|
| POST | Specify a new name for a server class. | XML, JSON |
deployment/server/serverclasses/rename method detail| Name | Type | Default | Description |
|---|---|---|---|
| newName required | String | The new name of the server class. | |
| oldName required | String | The current name of the server class. |
None
[ Top ]
https://<host>:<mPort>/services/deployment/server/serverclasses/{name}
Authentication: Not required
Manage the {name} serverclass.
| Method | Description | Formats |
|---|---|---|
| DELETE | Remove the specfied server class from this deployment server. | XML, JSON |
| GET | List information about the named server class. | XML, JSON |
| POST | Update the named server class. | XML, JSON |
deployment/server/serverclasses/{name} method detailNone
None
deployment/server/serverclasses/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| clientId | String | GUID of a deployment client that is a member of the named server class. Lists information about the named server class with respect to this client. | |
| hasDeploymentError | Boolean | Indicates whether to only list server classes that have a deployment error. |
| Name | Description |
|---|---|
| blacklist-size | Specifies the size of the blacklist for the named server class. |
| clientId | ID of deployment client for this server class. |
| currentDownloads | The number of entires in the blacklist for this serverclass. |
| hasDeploymentError | Indicates whether the serverclass has at least one deployment error. |
| loadTime | The time, in epoch seconds, this serverclass was loaded. |
| machineTypesFilter | List of filters to be used in Boolean and logic with whitelist and blacklist filters. |
| repositoryList | List of applications stored at the location specified by repositoryLocation. |
| repositoryLocation | The location on the deployment server to store the content that is to be deployed for this server class. |
| restartSplunkWeb | Indicates whether to restart Splunk Web. |
| restartSplunkd | Indicates whether to restart splunkd. |
| stateOnClient | Indicates whether this server class is enabled or disabled. |
| whitelist-size | Specifies the number of entries in the whitelist for this server class. |
| whitelist.0 | List of servers for whitelist.0 for this server class. |
deployment/server/serverclasses/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| blacklist.* | String | List of hosts to exclude for this server class.
For each blacklist, replace * with an ordinal number to specify additional blacklists. Filter ordinals must start at 0 and be consecutive. | |
| continueMatching | Boolen | Controls how configuration is layered across classes and server-specific settings.
If true, configuration lookups continue matching server classes, beyond the first match. If false, only the first match is used. Matching is done in the order that server classes are defined. Defaults to true. A serverClass can override this property and stop the matching. | |
| filterType | Enum | Valid values: (whitelist | blacklist)
Determines the order of execution of filters. If filterType is whitelist, all whitelist filters are applied first, followed by blacklist filters. If filterType is blacklist, all blacklist filters are applied first, followed by whitelist filters. The whitelist setting indicates a filtering strategy that pulls in a subset:
The blacklist setting indicates a filtering strategy that rules out a subset:
More briefly: whitelist: default no-match -> whitelists enable -> blacklists disable If you specify whitelist at the global level, and then specify blacklist for an individual server class, the setting becomes blacklist for that server class, and you have to provide another filter in that server class definition to replace the one you overrode. | |
| machineTypesFilter | String | Comma-separated list of filters to be used in Boolean and logic with whitelist and blacklist filters.
Only clients that match the white/blacklist filters AND that match this machineTypesFilter are included. Thus the match is an intersection of the matches for the white/blacklist and the matches for MachineTypesFilter. The patterns are PCRE regular expressions, with the following aids for easier entry:
| |
| repositoryLocation | String | The location on the deployment server to store the content that is to be deployed for this server class.
For example: $SPLUNK_HOME/etc/deployment-apps | |
| restartSplunkWeb | Boolean | Indicates whether to restart SplunkWeb on the client when a member app or a directly configured app is updated.
Defaults to false | |
| restartSplunkd | Boolean | Indicates whether to restart splunkd on the client when a member app or a directly configured app is updated.
Defaults to false | |
| stateOnClient | Enum | Valid values are (enabled | disabled | noop).
| |
| targetRepositoryLocation | String | The location on the deployment client to install the apps defined for this Deployment Server.
If unset, or set to empty, the repositoryLocation path is used. That is, defaults to: $SPLUNK_HOME/etc/apps (the live configuration directory for a Splunk instance Useful only with complex (for example, tiered) deployment strategies. | |
| tmpFolder | String | Working folder used by deployment server.
Defaults to $SPLUNK_HOME/var/run/tmp | |
| whitelist.* | String | List of hosts to accept for this server class.
For each whitelist, replace * with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive. |
None
[ Top ]
https://<host>:<mPort>/services/search/distributed/bundle-replication-files
Authentication: Not required
Provide access to distributed search bundle replication files.
| Method | Description | Formats |
|---|---|---|
| GET | List distributed search bundle replication files. | XML, JSON |
search/distributed/bundle-replication-files method detailPagination and filtering parameters can be used with this method.
None
[ Top ]
https://<host>:<mPort>/services/search/distributed/bundle-replication-files/{name}
Authentication: Not required
Get {name} bundle replication file information.
| Method | Description | Formats |
|---|---|---|
| GET | LIst information about the specified bundle replication file. For {name}, specify the checksum for the file. | XML, JSON |
search/distributed/bundle-replication-files/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| force_list_all | Boolean | Indicates whether to force a listing of the file. |
None
[ Top ]
https://<host>:<mPort>/services/search/distributed/config
Authentication: Not required
Provides access to the Splunk Enterprise distributed search options. This option is not for adding search peers.
| Method | Description | Formats |
|---|---|---|
| GET | Lists the configuration options for the distributed search system. | XML, JSON |
search/distributed/config method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| autoAddServers | [Deprecated] |
| blacklistNames | List of filenames that match the blacklist pattern, and are not replicated. |
| blacklistURLs | List of URLs that are blacklisted, and thus is not replicated. |
| checkTimedOutServersFrequency | Rechecks servers at the specified frequency (in seconds). If this is set to 0, then no recheck occurs. Defaults to 60.
This attribute is ONLY relevant if removeTimedOutServers is set to |
| connectionTimeout | Connection timeout. |
| disabled | Indicates if the distributed search is disabled. |
| dist_search_enabled | Indicates if the distributed search is enabled. |
| heartbeatFrequency | [Deprecated] |
| heartbeatMcastAddr | [Deprecated] |
| heartbeatPort | [Deprecated] |
| receiveTimeout | Amount of time in seconds to use as a timeout while trying to read/receive data from a search peer. |
| removedTimedOutServers | If true, removes a server connection that cannot be made within serverTimeout.
If false, every call to that server attempts to connect. This may result in a slow user interface. |
| sendTimeout | Send timeout. |
| serverTimeout | [Deprecated] Refer to connectionTimeout, sendTimeout, and receiveTimeout. |
| servers | The initial list of servers.
If operating completely in autoAddServers mode (discovering all servers), there is no need to list any servers here. |
| shareBundles | Indicates whether this server uses bundle replication to share search time configuration with search peers.
If set to false, the search head assumes that the search peers can access the correct bundles using an NFS share and have correctly configured the options listed under: "SEARCH HEAD BUNDLE MOUNTING OPTIONS." |
| skipOurselves | [Deprecated] |
| statusTimeout | Set connection timeout when gathering a search peer's basic info (/services/server/info). Read/write timeouts are automatically set to twice this value. |
| ttl | [Deprecated] |
[ Top ]
https://<host>:<mPort>/services/search/distributed/peers
Authentication: Not required
Provides distributed peer server management. A search peer is defined as a splunk server to which another splunk server distributes searches. The splunk server where the search request originates is referred to as the search head.
| Method | Description | Formats |
|---|---|---|
| GET | Returns a list of configured search peers that this search head is configured to distribute searches to. This includes configured search peers disabled. | XML, JSON |
search/distributed/peers method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| build | The Splunk Enterprise build number for this peer. |
| bundle_versions | The IDs of the bundles (of this search head) that the peer has.
The IDs are sorted from latest to earliest. |
| disabled | Indicates if the peer is disabled. |
| guid | GUID of the peer. |
| is_https | Inidcates if the management port is ussing SSL. |
| licenseSignature | The license signature. |
| peerName | The Splunk Enterprise server name of the peer. |
| peerType | Specifies whether the peer is configured or discovered. |
| replicationStatus | The status of bundle replication to this peer. Can be any of the following values:
|
| status | The status of the peer.
Can be one of the following values:
|
| version | The Splunk Enterprise version string this peer is running. |
[ Top ]
https://<host>:<mPort>/services/search/distributed/peers
Authentication: Not required
Provides distributed peer server management. A search peer is defined as a splunk server to which another splunk server distributes searches. The splunk server where the search request originates is referred to as the search head.
| Method | Description | Formats |
|---|---|---|
| POST | Returns a list of configured search peers that this search head is configured to distribute searches to. This includes configured search peers disabled. | XML, JSON |
search/distributed/peers/{name} method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| build | The Splunk Enterprise build number for this peer. |
| bundle_versions | The IDs of the bundles (of this search head) that the peer has.
The IDs are sorted from latest to earliest. |
| disabled | Indicates if the peer is disabled. |
| guid | GUID of the peer. |
| is_https | Inidcates if the management port is ussing SSL. |
| licenseSignature | The license signature. |
| peerName | The Splunk Enterprise server name of the peer. |
| peerType | Specifies whether the peer is configured or discovered. |
| replicationStatus | The status of bundle replication to this peer. Can be any of the following values:
|
| status | The status of the peer.
Can be one of the following values:
|
| version | The Splunk Enterprise version string this peer is running. |
[ Top ]
curl -k -u admin:pass https://localhost:8089/services/deployment/client
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>deploymentclient</title>
<id>https://localhost:8089/services/deployment/client</id>
<updated>2011-07-11T00:35:37-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>deployment-client</title>
<id>https://localhost:8089/services/deployment/client/deployment-client</id>
<updated>2011-07-11T00:35:37-07:00</updated>
<link href="/services/deployment/client/deployment-client" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/client/deployment-client" rel="list"/>
<link href="/services/deployment/client/deployment-client" rel="edit"/>
<link href="/services/deployment/client/deployment-client/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="serverClasses">
<s:list>
<s:item>dstest:dstestapp</s:item>
</s:list>
</s:key>
<s:key name="targetUri">essplunk:8089</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/client/config
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>deploymentclient</title>
<id>https://localhost:8089/services/deployment/client</id>
<updated>2013-07-31T20:49:58-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>config</title>
<id>https://localhost:8089/services/deployment/client/config</id>
<updated>2013-07-31T20:49:58-07:00</updated>
<link href="/services/deployment/client/config" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/client/config" rel="list"/>
<link href="/services/deployment/client/config" rel="edit"/>
<link href="/services/deployment/client/config/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="serverClasses">
<s:list>
<s:item>sc_apps_wma:wma-app2</s:item>
<s:item>sc_apps_wma:wma-app1</s:item>
<s:item>sc_mach_type:wma-app2</s:item>
<s:item>sc_new:wma-app2</s:item>
<s:item>sc_new:wma-app1</s:item>
</s:list>
</s:key>
<s:key name="targetUri">localhost:8089</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/client/config/listIsDisabled
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>deploymentclient</title>
<id>https://localhost:8089/services/deployment/client</id>
<updated>2013-08-04T18:49:25-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>default</title>
<id>https://localhost:8089/services/deployment/client/default</id>
<updated>2013-08-04T18:49:25-07:00</updated>
<link href="/services/deployment/client/default" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/client/default" rel="list"/>
<link href="/services/deployment/client/default" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass -X POST https://localhost:8089/services/deployment/client/config/reload
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>deploymentclient</title>
<id>https://localhost:8089/services/deployment/client</id>
<updated>2013-10-07T15:49:06-07:00</updated>
<generator build="182462" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/client/listIsDisabled" rel="listIsDisabled"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>config</title>
<id>https://localhost:8089/services/deployment/client/config</id>
<updated>2013-10-07T15:49:06-07:00</updated>
<link href="/services/deployment/client/config" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/client/config" rel="list"/>
<link href="/services/deployment/client/config" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/client/deployment-client/reload
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>deploymentclient</title>
<id>https://localhost:8089/services/deployment/client</id>
<updated>2011-07-11T00:39:23-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>deployment-client</title>
<id>https://localhost:8089/services/deployment/client/deployment-client</id>
<updated>2011-07-11T00:39:23-07:00</updated>
<link href="/services/deployment/client/deployment-client" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/client/deployment-client" rel="list"/>
<link href="/services/deployment/client/deployment-client" rel="edit"/>
<link href="/services/deployment/client/deployment-client/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="serverClasses">
<s:list>
<s:item>dstest:dstestapp</s:item>
</s:list>
</s:key>
<s:key name="targetUri">tiny:8089</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>applications</title>
<id>https://localhost:8089/services/deployment/server/applications</id>
<updated>2013-08-01T09:35:22-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/applications/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>wma-app-test2</title>
<id>https://localhost:8089/services/deployment/server/applications/wma-app2</id>
<updated>2013-08-01T09:35:22-07:00</updated>
<link href="/services/deployment/server/applications/wma-app2" rel="alternate"/>
<author>
<name>system</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375305443.bundle</s:key>
... eai:acl node elided ...
<s:key name="loadtime">Wed Jul 31 14:17:23 2013</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_mach_type</s:item>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>wma-app1</title>
<id>https://localhost:8089/services/deployment/server/applications/wma-app1</id>
<updated>2013-08-01T09:35:22-07:00</updated>
<link href="/services/deployment/server/applications/wma-app_test1" rel="alternate"/>
<author>
<name>system</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375305443.bundle</s:key>
... eai:acl node elided ...
<s:key name="loadtime">Wed Jul 31 14:17:23 2013</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications/wma-app1
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>applications</title>
<id>https://localhost:8089/services/deployment/server/applications</id>
<updated>2013-08-04T18:53:50-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/applications/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>wma-app1</title>
<id>https://localhost:8089/services/deployment/server/applications/wma-app1</id>
<updated>2013-08-04T18:53:50-07:00</updated>
<link href="/services/deployment/server/applications/wma-app1" rel="alternate"/>
<author>
<name>system</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375467593.bundle</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">... elided ...</s:key>
<s:key name="loadtime">Fri Aug 2 11:19:53 2013</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/applications/wma-app3 -d serverclass=sc_apps_wma
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>applications</title>
<id>https://localhost:8089/services/deployment/server/applications</id>
<updated>2013-08-10T12:50:59-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/applications/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>wma-app3</title>
<id>https://localhost:8089/services/deployment/server/applications/wma-app3</id>
<updated>2013-08-10T12:50:59-07:00</updated>
<link href="/services/deployment/server/applications/wma-app3" rel="alternate"/>
<author>
<name>system</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_mach_type/wma-app3-1376164259.bundle</s:key>
... eai:acl node elided ...
<s:key name="loadtime">Sat Aug 10 12:50:59 2013</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_mach_type</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclients</title>
<id>https://localhost:8089/services/deployment/server/clients</id>
<updated>2013-08-01T09:41:42-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
<link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
<link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
<link href="/services/deployment/server/clients/preview" rel="preview"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dc95537d0e8fdadc44d00c50fc431e25</title>
<id>https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25</id>
<updated>2013-08-01T09:41:42-07:00</updated>
<link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="list"/>
<link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="applications">
<s:dict>
<s:key name="wma-app-test2">
<s:dict>
<s:key name="action">Install</s:key>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375305443.bundle</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="result">Ok</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_mach_type</s:item>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="timestamp">Wed Jul 31 14:11:23 2013</s:key>
</s:dict>
</s:key>
<s:key name="wma-app_test1">
<s:dict>
<s:key name="action">Install</s:key>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375305443.bundle</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="result">Ok</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="timestamp">Wed Jul 31 14:17:23 2013</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="averagePhoneHomeInterval">60</s:key>
<s:key name="build">172889</s:key>
<s:key name="dns">localhost.sv.splunk.com</s:key>
... eai:acl node elided ...
<s:key name="guid">dc95537d0e8fdadc44d00c50fc431e25</s:key>
<s:key name="hostname">localhost.sv.splunk.com</s:key>
<s:key name="id">connection_10.160.24.187_8089_localhost.sv.splunk.com_localhost.sv.splunk.com_Ombra</s:key>
<s:key name="ip">10.160.24.187</s:key>
<s:key name="lastPhoneHomeTime">1375375291</s:key>
<s:key name="mgmt">8089</s:key>
<s:key name="name">Ombra</s:key>
<s:key name="serverClasses">
<s:dict>
<s:key name="sc_apps_wma">
<s:dict>
<s:key name="loadTime">1375305443</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
<s:key name="sc_mach_type">
<s:dict>
<s:key name="loadTime">1375305443</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
<s:key name="sc_new">
<s:dict>
<s:key name="loadTime">1375305443</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="utsname">linux-x86_64</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients/countClients_by_machineType
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclients</title>
<id>https://localhost:8089/services/deployment/server/clients</id>
<updated>2013-07-30T15:07:38-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
<link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
<link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
<link href="/services/deployment/server/clients/preview" rel="preview"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>default</title>
<id>https://localhost:8089/services/deployment/server/clients/default</id>
<updated>2013-07-30T15:07:38-07:00</updated>
<link href="/services/deployment/server/clients/default" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/clients/default" rel="list"/>
<link href="/services/deployment/server/clients/default" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="counts">
<s:dict>
<s:key name="linux-x86_64">3</s:key>
</s:dict>
</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass -d maxAgeSecs=1 -G https://localhost:8089/services/deployment/server/clients/countRecentDownloads
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclients</title>
<id>https://localhost:8089/services/deployment/server/clients</id>
<updated>2013-07-30T20:00:43-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
<link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
<link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
<link href="/services/deployment/server/clients/preview" rel="preview"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>default</title>
<id>https://localhost:8089/services/deployment/server/clients/default</id>
<updated>2013-07-30T20:00:43-07:00</updated>
<link href="/services/deployment/server/clients/default" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/clients/default" rel="list"/>
<link href="/services/deployment/server/clients/default" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="count">6</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/deployment/server/clients/1d3de43af2aae61139c367044127f44a
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclients</title>
<id>https://qa-sv-rh61x64-7:8103/services/deployment/server/clients</id>
<updated>2013-10-21T16:03:49-07:00</updated>
<generator build="182785" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
<link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
<link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
<link href="/services/deployment/server/clients/preview" rel="preview"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>149685cb3e39898fbd15be6604672a31</title>
<id>https://qa-sv-rh61x64-7:8103/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31</id>
<updated>2013-10-21T16:03:49-07:00</updated>
<link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="list"/>
<link href="/services/deployment/server/clients/149685cb3e39898fbd15be6604672a31" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="averagePhoneHomeInterval">60</s:key>
<s:key name="build">177748</s:key>
<s:key name="clientName">4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
<s:key name="dns">qa-sv-rh61x64-10.sv.splunk.com</s:key>
... eai:acl node elided ...
<s:key name="guid">149685cb3e39898fbd15be6604672a31</s:key>
<s:key name="hostname">qa-sv-rh61x64-10</s:key>
<s:key name="id">connection_10.160.24.224_8097_qa-sv-rh61x64-10.sv.splunk.com_qa-sv-rh61x64-10_4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
<s:key name="ip">10.160.24.224</s:key>
<s:key name="lastPhoneHomeTime">1382396628</s:key>
<s:key name="mgmt">8097</s:key>
<s:key name="name">4D4EA12E-FDBA-41D3-99CD-2A61CC1DAB29</s:key>
<s:key name="serverClasses"/>
<s:key name="utsname">linux-x86_64</s:key>
</s:dict>
</content>
</entry>
. . . elided ...
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclients</title>
<id>https://localhost:8089/services/deployment/server/clients</id>
<updated>2013-08-04T18:59:31-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/clients/countClients_by_machineType" rel="countClients_by_machineType"/>
<link href="/services/deployment/server/clients/countRecentDownloads" rel="countRecentDownloads"/>
<link href="/services/deployment/server/clients/getMatchingAppsForClient_dryRun" rel="getMatchingAppsForClient_dryRun"/>
<link href="/services/deployment/server/clients/preview" rel="preview"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dc95537d0e8fdadc44d00c50fc431e25</title>
<id>https://localhost:8089/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25</id>
<updated>2013-08-04T18:59:31-07:00</updated>
<link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="list"/>
<link href="/services/deployment/server/clients/dc95537d0e8fdadc44d00c50fc431e25" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="applications">
<s:dict>
<s:key name="wma-app2">
<s:dict>
<s:key name="action">Unknown</s:key>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app2-1375467593.bundle</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="result">Ok</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_mach_type</s:item>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
<s:key name="wma-app1">
<s:dict>
<s:key name="action">Unknown</s:key>
<s:key name="archive">/opt/cluster/peer1/splunk/var/run/tmp/sc_new/wma-app1-1375467593.bundle</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="result">Ok</s:key>
<s:key name="serverclasses">
<s:list>
<s:item>sc_new</s:item>
<s:item>sc_apps_wma</s:item>
</s:list>
</s:key>
<s:key name="size">112640</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="averagePhoneHomeInterval">60</s:key>
<s:key name="build">172889</s:key>
<s:key name="dns">localhost.sv.splunk.com</s:key>
... eai:acl node elided ...
... eai:attribute node elided ...
<s:key name="guid">dc95537d0e8fdadc44d00c50fc431e25</s:key>
<s:key name="hostname">localhost.sv.splunk.com</s:key>
<s:key name="id">connection_10.160.24.187_8089_localhost.sv.splunk.com_localhost.sv.splunk.com_Ombra</s:key>
<s:key name="ip">10.160.24.187</s:key>
<s:key name="lastPhoneHomeTime">1375667964</s:key>
<s:key name="mgmt">8089</s:key>
<s:key name="name">Ombra</s:key>
<s:key name="serverClasses">
<s:dict>
<s:key name="sc_apps_wma">
<s:dict>
<s:key name="loadTime">1375467593</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
<s:key name="sc_mach_type">
<s:dict>
<s:key name="loadTime">1375467593</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
<s:key name="sc_new">
<s:dict>
<s:key name="loadTime">1375467593</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="utsname">linux-x86_64</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/config
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>deploymentserver</title>
<id>https://localhost:8089/services/deployment/server/config</id>
<updated>2013-08-01T08:17:38-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/config/_reload" rel="_reload"/>
<link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
<link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>config</title>
<id>https://localhost:8089/servicesNS/nobody/system/deployment/server/config/config</id>
<updated>2013-08-01T08:17:38-07:00</updated>
<link href="/servicesNS/nobody/system/deployment/server/config/config" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/deployment/server/config/config" rel="list"/>
<link href="/servicesNS/nobody/system/deployment/server/config/config/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/deployment/server/config/config" rel="edit"/>
<link href="/servicesNS/nobody/system/deployment/server/config/config/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="currentDownloads">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="loadTime">1375305443</s:key>
<s:key name="repositoryLocation">$SPLUNK_HOME/etc/deployment-apps</s:key>
<s:key name="whitelist.0">*</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/config/attributesUnsupportedInUI
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>deploymentserver</title>
<id>https://localhost:8089/services/deployment/server/config</id>
<updated>2013-08-04T19:14:20-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/config/_reload" rel="_reload"/>
<link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
<link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
... eai:acl node elided ...
<s:messages/>
<entry>
<title>item_0</title>
<id>https://localhost:8089/services/deployment/server/config/item_0</id>
<updated>2013-08-04T19:14:20-07:00</updated>
<link href="/services/deployment/server/config/item_0" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/config/item_0" rel="list"/>
<link href="/services/deployment/server/config/item_0/_reload" rel="_reload"/>
<link href="/services/deployment/server/config/item_0" rel="edit"/>
<content type="text/xml">
<s:dict>
... opensearch nodes elided ...
<s:key name="property">whitelist.0</s:key>
<s:key name="reason">unsupported at this level</s:key>
<s:key name="stanza">global</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/config/listIsDisabled
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>deploymentserver</title>
<id>https://localhost:8089/services/deployment/server/config</id>
<updated>2013-08-10T14:08:11-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/config/_reload" rel="_reload"/>
<link href="/services/deployment/server/config/attributesUnsupportedInUI" rel="attributesUnsupportedInUI"/>
<link href="/services/deployment/server/config/listIsDisabled" rel="listIsDisabled"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>default</title>
<id>https://localhost:8089/services/deployment/server/config/default</id>
<updated>2013-08-10T14:08:11-07:00</updated>
<link href="/services/deployment/server/config/default" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/config/default" rel="list"/>
<link href="/services/deployment/server/config/default/_reload" rel="_reload"/>
<link href="/services/deployment/server/config/default" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclasses</title>
<id>https://localhost:8089/services/deployment/server/serverclasses</id>
<updated>2013-08-01T09:50:16-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/serverclasses/_new" rel="create"/>
<link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>sc_apps_wma</title>
<id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma</id>
<updated>2013-08-01T09:50:16-07:00</updated>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="list"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="edit"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="remove"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/applications" rel="applications"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/clients" rel="clients"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklist-size">0</s:key>
<s:key name="currentDownloads">0</s:key>
... eai:acl node elided ...
<s:key name="loadTime">1375305443</s:key>
<s:key name="machineTypesFilter"></s:key>
<s:key name="repositoryList">
<s:dict>
<s:key name="wma-app2"/>
<s:key name="wma-app1"/>
</s:dict>
</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="whitelist-size">1</s:key>
<s:key name="whitelist.0">Ombra*</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>sc_mach_type</title>
<id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type</id>
<updated>2013-08-01T09:50:16-07:00</updated>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="list"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="edit"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="remove"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/applications" rel="applications"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/clients" rel="clients"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklist-size">0</s:key>
<s:key name="currentDownloads">0</s:key>
... eai:acl node elided ...
<s:key name="loadTime">1375305443</s:key>
<s:key name="machineTypesFilter">linux-x86_64,</s:key>
<s:key name="repositoryList">
<s:dict>
<s:key name="wma-app-test2"/>
<s:key name="wma-app_test1"/>
</s:dict>
</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="whitelist-size">1</s:key>
<s:key name="whitelist.0">Ombra*</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses -d name=sc_apps_ombra
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclasses</title>
<id>https://localhost:8089/services/deployment/server/serverclasses</id>
<updated>2013-08-10T13:18:28-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/serverclasses/_new" rel="create"/>
<link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>sc_apps_ombra</title>
<id>https://localhost:8089/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra</id>
<updated>2013-08-10T13:18:28-07:00</updated>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="list"/>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="edit"/>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_ombra" rel="remove"/>
<link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/applications" rel="applications"/>
<link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/clients" rel="clients"/>
<link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_ombra/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklist-size">0</s:key>
<s:key name="currentDownloads">0</s:key>
... opensearch nodes elided ...
<s:key name="loadTime">1376165908</s:key>
<s:key name="machineTypesFilter"></s:key>
<s:key name="repositoryList">
<s:dict>
<s:key name="wma-app-test2"/>
<s:key name="wma-app3"/>
<s:key name="wma-app_test1"/>
</s:dict>
</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="whitelist-size">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/rename -d oldName=sc_apps_ombra -d newName=sc_apps_shadow
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclasses</title>
<id>https://localhost:8089/services/deployment/server/serverclasses</id>
<updated>2013-10-09T08:54:09-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/serverclasses/_new" rel="create"/>
<link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>sc_apps_shadow</title>
<id>https://localhost:8089/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow</id>
<updated>2013-10-09T08:54:09-07:00</updated>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="list"/>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="edit"/>
<link href="/servicesNS/nobody/search/deployment/server/serverclasses/sc_apps_shadow" rel="remove"/>
<link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/applications" rel="applications"/>
<link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/clients" rel="clients"/>
<link href="/servicesNS/nobody/search/deployment/serverclasses/sc_apps_shadow/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklist-size">0</s:key>
<s:key name="currentDownloads">0</s:key>
... eai:acl node elided ...
<s:key name="loadTime">1381334049</s:key>
<s:key name="machineTypesFilter"></s:key>
<s:key name="repositoryList">
<s:dict>
<s:key name="tmp"/>
<s:key name="wma-app-test2"/>
<s:key name="wma-app3"/>
<s:key name="wma-app_test1"/>
</s:dict>
</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="whitelist-size">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/deployment/server/serverclasses/sc_apps_shadow
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclasses</title>
<id>https://localhost:8089/services/deployment/server/serverclasses</id>
<updated>2013-10-09T09:13:27-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/serverclasses/_new" rel="create"/>
<link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>sc_apps_wma</title>
<id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma</id>
<updated>2013-10-09T09:13:27-07:00</updated>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="list"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="edit"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_apps_wma" rel="remove"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/applications" rel="applications"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/clients" rel="clients"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_apps_wma/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklist-size">0</s:key>
<s:key name="currentDownloads">0</s:key>
... eai:acl node elided ...
<s:key name="loadTime">1381335207</s:key>
<s:key name="machineTypesFilter"></s:key>
<s:key name="repositoryList">
<s:dict>
<s:key name="tmp"/>
<s:key name="wma-app-test2"/>
<s:key name="wma-app3"/>
<s:key name="wma-app_test1"/>
</s:dict>
</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="whitelist-size">1</s:key>
<s:key name="whitelist.0">Ombra*</s:key>
</s:dict>
</content>
</entry>
... elided ...
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/sc_mach_type
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclasses</title>
<id>https://localhost:8089/services/deployment/server/serverclasses</id>
<updated>2013-08-04T19:19:34-07:00</updated>
<generator build="172889" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/serverclasses/_new" rel="create"/>
<link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>sc_mach_type</title>
<id>https://localhost:8089/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type</id>
<updated>2013-08-04T19:19:34-07:00</updated>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="list"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="edit"/>
<link href="/servicesNS/nobody/system/deployment/server/serverclasses/sc_mach_type" rel="remove"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/applications" rel="applications"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/clients" rel="clients"/>
<link href="/servicesNS/nobody/system/deployment/serverclasses/sc_mach_type/reload" rel="reload"/>
<content type="text/xml">
<s:dict>
<s:key name="blacklist-size">0</s:key>
<s:key name="currentDownloads">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">... elided ...</s:key>
<s:key name="loadTime">1375467593</s:key>
<s:key name="machineTypesFilter">linux-x86_64,</s:key>
<s:key name="repositoryList">
<s:dict>
<s:key name="wma-app2"/>
<s:key name="wma-app1"/>
</s:dict>
</s:key>
<s:key name="repositoryLocation">/opt/cluster/peer1/splunk/etc/deployment-apps</s:key>
<s:key name="restartSplunkWeb">0</s:key>
<s:key name="restartSplunkd">0</s:key>
<s:key name="stateOnClient">enabled</s:key>
<s:key name="whitelist-size">1</s:key>
<s:key name="whitelist.0">Ombra*</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses/sc_apps_ombra -d stateOnClient=noop
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>serverclasses</title>
<id>https://localhost:8089/services/deployment/server/serverclasses</id>
<updated>2013-08-10T13:24:16-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/deployment/server/serverclasses/_new" rel="create"/>
<link href="/services/deployment/server/serverclasses/rename" rel="rename"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>sc_apps_ombra</title>
<id>https://localhost:8089/services/deployment/server/serverclasses/sc_apps_ombra</id>
<updated>2013-08-10T13:24:16-07:00</updated>
<link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="list"/>
<link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="edit"/>
<link href="/services/deployment/server/serverclasses/sc_apps_ombra" rel="remove"/>
<content type="text/xml">
<s:dict>
... opensearch nodes elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/search/distributed/bundle-replication-files
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>search-head-bundles</title>
<id>https://localhost:8089/services/search/distributed/bundle-replication-files</id>
<updated>2013-10-09T09:42:51-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>13134207368020721783</title>
<id>https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783</id>
<updated>2013-10-09T09:42:51-07:00</updated>
<link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum">13134207368020721783</s:key>
... eai:acl node elided ...
<s:key name="filename">localhost-1381336958.bundle</s:key>
<s:key name="location">/opt/cluster/peer1/splunk/var/run/localhost-1381336958.bundle</s:key>
<s:key name="timestamp">1381336958</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>search-head-bundles</title>
<id>https://localhost:8089/services/search/distributed/bundle-replication-files</id>
<updated>2013-10-09T10:07:17-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>13134207368020721783</title>
<id>https://localhost:8089/services/search/distributed/bundle-replication-files/13134207368020721783</id>
<updated>2013-10-09T10:07:17-07:00</updated>
<link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/distributed/bundle-replication-files/13134207368020721783" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="checksum">13134207368020721783</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">... elided ...</s:key>
<s:key name="filename">localhost-1381336958.bundle</s:key>
<s:key name="location">/opt/cluster/peer1/splunk/var/run/localhost-1381336958.bundle</s:key>
<s:key name="timestamp">1381336958</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/search/distributed/config
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>distsearch-setup</title>
<id>https://localhost:8089/services/search/distributed/config</id>
<updated>2011-07-10T23:21:51-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>distributedSearch</title>
<id>https://localhost:8089/services/search/distributed/config/distributedSearch</id>
<updated>2011-07-10T23:21:51-07:00</updated>
<link href="/services/search/distributed/config/distributedSearch" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/distributed/config/distributedSearch" rel="list"/>
<link href="/services/search/distributed/config/distributedSearch" rel="edit"/>
<link href="/services/search/distributed/config/distributedSearch" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="autoAddServers">0</s:key>
<s:key name="blacklistNames"/>
<s:key name="blacklistURLs"/>
<s:key name="checkTimedOutServersFrequency">60</s:key>
<s:key name="disabled">0</s:key>
<s:key name="dist_search_enabled">1</s:key>
... eai:acl node elided ...
<s:key name="heartbeatFrequency">0</s:key>
<s:key name="heartbeatMcastAddr">224.0.0.37</s:key>
<s:key name="heartbeatPort">8888</s:key>
<s:key name="removedTimedOutServers">0</s:key>
<s:key name="serverTimeout">10</s:key>
<s:key name="servers"/>
<s:key name="shareBundles">1</s:key>
<s:key name="skipOurselves">0</s:key>
<s:key name="statusTimeout">10</s:key>
<s:key name="ttl">1</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>distsearch-peer</title>
<id>https://localhost:8089/services/search/distributed/peers</id>
<updated>2011-07-11T18:21:48-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/distributed/peers/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>tiny:8090</title>
<id>https://localhost:8089/services/search/distributed/peers/tiny%3A8090</id>
<updated>2011-07-11T18:21:48-07:00</updated>
<link href="/services/search/distributed/peers/tiny%3A8090" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/distributed/peers/tiny%3A8090" rel="list"/>
<link href="/services/search/distributed/peers/tiny%3A8090" rel="edit"/>
<link href="/services/search/distributed/peers/tiny%3A8090" rel="remove"/>
<link href="/services/search/distributed/peers/tiny%3A8090/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="build"/>
<s:key name="bundle_versions">
<s:list/>
</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="guid"/>
<s:key name="is_https">1</s:key>
<s:key name="licenseSignature"/>
<s:key name="peerName">tiny:8090</s:key>
<s:key name="peerType">configured</s:key>
<s:key name="replicationStatus">Initial</s:key>
<s:key name="status">Down</s:key>
<s:key name="version"/>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/search/distributed/peers -d name=MrT:8092 -d remoteUsername=admin -d remotePassword=mypass
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>distsearch-peer</title>
<id>https://localhost:8089/services/search/distributed/peers</id>
<updated>2011-07-11T18:22:00-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/distributed/peers/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
Manage and preview input data, including:
https://<host>:<mPort>/services/data/inputs/ad
Authentication: Not required
Provides access to Active Directory monitoring input.
| Method | Description | Formats |
|---|---|---|
| GET | Gets current active directory monitoring configuration. | XML, JSON |
| POST | Creates new or modifies existing performance monitoring settings. | XML, JSON |
data/inputs/ad method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| disabled | Indicates whether this input is disabled. |
| index | The index in which to store the gathered data.
If no value is present, send data to the default index. |
| monitorSubtree | Indicates whether or not to monitor the subtrees of a given Active Directory tree path. |
| startingNode | Tells Splunk Enterprise where in the Active Directory directory tree to start monitoring.
If not specified, Splunk Enterprise attempts to start at the root of the directory tree. The user that you configure Splunk Enterprise to run as at installation determines where Splunk starts monitoring. |
| targetDc | Fully qualified domain name of a valid, network-accessible Active Directory domain controller.
If not specified, Splunk Enterprise obtains the local computer DC by default, and binds to its root Distinguished Name (DN). |
data/inputs/ad method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Indicates whether to query baseline objects. Defaults to true.
Baseline objects are objects which currently reside in Active Directory and include previously deleted objects. | |
| host | String | Docs-W8R2-Std7 | Host name for the Active Directory Monitor. |
| index | String | default | The index in which to store the gathered data.
If not specified defaults to the default index. |
| monitorSubtree required | Number | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. | |
| name required | String | A unique name that represents a configuration or set of configurations for a specific domain controller. | |
| printSchema | Boolean | Indicates whether to print the Active Directory schema. Defaults to true. | |
| source | String | Source for data inputs. | |
| sourcetype | String | Source type of data inputs. | |
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. | |
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible domain controller. If not specified, Splunk Enterprise gets the local domain controller. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/ad/{name}
Authentication: Not required
Manage {name} active directory monitoring.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given active directory monitoring stanza. | XML, JSON |
| GET | Gets the current configuration for a given active directory monitoring stanza. | XML, JSON |
| POST | Modifies a given active directory monitoring stanza. | XML, JSON |
data/inputs/ad/{name} method detailNone
None
data/inputs/ad/{name} method detailNone
| Name | Description |
|---|---|
| Attribute | Description |
| disabled | Indicates whether this input is disabled. |
| index | The index in which to store the gathered data.
If no value is present, send data to the default index. |
| monitorSubtree | Indicates whether or not to monitor the subtrees of a given Active Directory tree path. |
data/inputs/ad/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline | Boolean | Indicates whether to query baseline objects. Defaults to true.
Baseline objects are objects which currently reside in Active Directory and include previously deleted objects. | |
| host | String | Docs-W8R2-Std7 | Host name for the Active Directory Monitor. |
| index | String | default | The index in which to store the gathered data.
If not specified defaults to the default index. |
| monitorSubtree required | Number | Whether or not to monitor the subtree(s) of a given directory tree path. 1 means yes, 0 means no. | |
| printSchema | Boolean | Indicates whether to print the Active Directory schema. Defaults to true. | |
| source | String | Source for data inputs. | |
| sourcetype | String | Source type of data inputs. | |
| startingNode | String | Where in the Active Directory directory tree to start monitoring. If not specified, attempts to start at the root of the directory tree. | |
| targetDc | String | Specifies a fully qualified domain name of a valid, network-accessible DC. If not specified, Splunk Enterprise gets the local computer's DC. |
None
https://<host>:<mPort>/services/data/inputs/all
Authentication: Not required
Provides access to all inputs to the Splunk Enterprise server. This includes any modular inputs that may be defined on the system.
| Method | Description | Formats |
|---|---|---|
| GET | Lists all inputs, including modular inputs. | XML, JSON |
data/inputs/all method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| common | Boolean | Indicates whether to return only attributes commom to all inputs. These common attributes are:
|
Pagination and filtering parameters can be used with this method.
None
Returns an <entry> for each input, where <content> lists attributes specific to the input.
[ Top ]
https://<host>:<mPort>/services/data/inputs/all/{name}
Authentication: Not required
Get information about the {name} input source.
| Method | Description | Formats |
|---|---|---|
| GET | Lists details for inputs for the input source specified by {name}. | XML, JSON |
data/inputs/all/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| common | Boolean | Indicates whether to return only attributes commom to all inputs. These common attributes are:
|
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/monitor
Authentication: Not required
Provides access to monitor inputs.
| Method | Description | Formats |
|---|---|---|
| GET | List enabled and disabled monitor inputs. | XML, JSON |
| POST | Create a new file or directory monitor input. | XML, JSON |
data/inputs/monitor method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| _TCP_ROUTING | List of TCP forwarding groups, as specified in outputs.conf.
|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files monitored. |
| host | Name of the Splunk Enterprise host for which inputs are monitored. |
| index | The index in which to store the gathered data. |
| sourcetype | Source type being monitored.
The source type of an event is the format of the data input from which it originates, such as access_combined or cisco_syslog. The source type determines how Splunk Enterprise formats your data. |
data/inputs/monitor method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. | |
| check-index | Boolean | If set to true, the "index" value is checked to ensure that it is the name of a valid index. | |
| check-path | Boolean | If set to true, the "name" value is checked to ensure that it exists. | |
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). | |
| disabled | Boolean | Indicates if input monitoring is disabled. | |
| followTail | Boolean | If set to true, files that are seen for the first time is read from the end. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. | |
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. | |
| index | String | default | Which index events from this input should be stored in. |
| name required | String | The file or directory path to monitor on the system. | |
| recursive | Boolean | Setting this to "false" prevents monitoring of any subdirectories encountered within this data input. | |
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. | |
| time-before-close | Number | When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. | |
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
None
[ Top ]
pre>
</pre>
https://<host>:<mPort>/services/data/inputs/monitor/{name}
Authentication: Not required
Manage the {name} monitor input.
| Method | Description | Formats |
|---|---|---|
| DELETE | Disable the named monitor data input and remove it from the configuration. | XML, JSON |
| GET | List the properties of a single monitor data input. | XML, JSON |
| POST | Update properties of the named monitor input. | XML, JSON |
data/inputs/monitor/{name} method detailNone
None
data/inputs/monitor/{name} method detailNone
| Name | Description |
|---|---|
| disabled | Indicates if inputs monitoring is disabled. |
| filecount | Number of files being monitored. |
| host | Name of the Splunk Enterprise host for which inputs are monitored. |
| index | The index events from this input should be stored in. |
data/inputs/monitor/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| blacklist | String | Specify a regular expression for a file path. The file path that matches this regular expression is not indexed. | |
| check-index | Boolean | If set to true, the "index" value is checked to ensure that it is the name of a valid index. | |
| check-path | Boolean | If set to true, the "name" value is checked to ensure that it exists. | |
| crc-salt | String | A string that modifies the file tracking identity for files in this input. The magic value "<SOURCE>" invokes special behavior (see admin documentation). | |
| disabled | Boolean | Indicates if input monitoring is disabled. | |
| followTail | Boolean | If set to true, files that are seen for the first time is read from the end. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | Specify a regular expression for a file path. If the path for a file matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the filepath as the host field value. | |
| ignore-older-than | String | Specify a time value. If the modification time of a file being monitored falls outside of this rolling time window, the file is no longer being monitored. | |
| index | String | default | Which index events from this input should be stored in. |
| recursive | Boolean | Setting this to "false" prevents monitoring of any subdirectories encountered within this data input. | |
| rename-source | String | The value to populate in the source field for events from this data input. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. | |
| time-before-close | Number | When Splunk Enterprise reaches the end of a file that is being read, the file is kept open for a minimum of the number of seconds specified in this value. After this period has elapsed, the file is checked again for more data. | |
| whitelist | String | Specify a regular expression for a file path. Only file paths that match this regular expression are indexed. |
None
https://<host>:<mPort>/services/data/inputs/monitor/{name}/members
Authentication: Not required
List {name} monitor input files.
| Method | Description | Formats |
|---|---|---|
| GET | Lists all files monitored under the named monitor input. | XML, JSON |
data/inputs/monitor/{name}/members method detailPagination and filtering parameters can be used with this method.
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/oneshot
Authentication: Not required
Provides access to oneshot inputs.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerates in-progress oneshot inputs. As soon as an input is complete, it is removed from this list. | XML, JSON |
| POST | Queues a file for immediate indexing. The file must be locally accessible from the server. This endpoint can handle any single file: plain, compressed or archive. The file is indexed in full, regardless of whether or not it is already indexed. | XML, JSON |
data/inputs/oneshot method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
data/inputs/oneshot method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| host | String | The value of the "host" field to be applied to data from this file. | |
| host_regex | String | A regex to be used to extract a "host" field from the path.
If the path matches this regular expression, the captured value is used to populate the host field for events from this data input. The regular expression must have one capture group. | |
| host_segment | Number | Use the specified slash-separate segment of the path as the host field value. | |
| index | String | The destination index for data processed from this file. | |
| name required | String | The path to the file to be indexed. The file must be locally accessible by the server. | |
| rename-source | String | The value of the "source" field to be applied to data from this file. | |
| sourcetype | String | The value of the "sourcetype" field to be applied to data from this file. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/oneshot/{name}
Authentication: Not required
Get information about the {name} one-shot input.
| Method | Description | Formats |
|---|---|---|
| GET | Finds information about a single in-flight one shot input. This is a subset of the information in the full enumeration. | XML, JSON |
data/inputs/oneshot/{name} method detailNone
| Name | Description |
|---|---|
| Bytes Indexed | Total number of bytes read and sent to the pipeline for indexing during a oneshot input.
This total includes the uncompressed byte count from a source file that is compressed on disk. |
| Offset | Current position in the source file, indicating how much of the file is read. For compressed source files, this offset represents the position in the compressed format.
You can obtain the percentage of a source file read by calculating offset/size. |
| Size | Size of the source file, in bytes.
You can obtain the percentage of a source file read by calculating offset/size. |
| Sources Indexed | Indicates the number of sources read from a file in a compressed format such as tar or zip.
A value of 0 indicates the source file was not compressed. |
| Spool Time | Time that the request was made to read the source file. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/registry
Authentication: Not required
Provides access to Windows registry monitoring input.
| Method | Description | Formats |
|---|---|---|
| GET | Gets current registry monitoring configuration. | XML, JSON |
| POST | Creates new or modifies existing registry monitoring settings. | XML, JSON |
data/inputs/registry method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| baseline | Indicates whether or not Splunk Enterprise should get a baseline of Registry events when it starts. Defaults to false.
If true, the input captures a baseline for the specified hive when the input starts for the first time. |
| disabled | Indicats whether this input is disabled. |
| hive | Regular expression for Registry hives that this input should monitor for Registry access.
Matches against the Registry key which was accessed. Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through. |
| index | Specifies the index that this input should send the data to.
If no value is present, defaults to the default index. |
| monitorSubnodes | Indicates whether to monitor all Registry hives beneath the specified hive. |
| proc | Regular expression for processes this input should monitor for Registry access.
It matches against the process name which performed the Registry access. Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through. |
| type | A regular expression that specifies the types of Registry events to monitor. |
data/inputs/registry method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline required | Number | Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. | |
| hive required | String | Specifies the registry hive under which to monitor for changes. | |
| name required | String | Name of the configuration stanza. | |
| proc required | String | Specifies a regex. If specified, collect changes if a process name matches that regex. | |
| type required | String | A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character. For example,
set|create|delete|rename | |
| disabled | Number | Indicates whether the monitoring is disabled. | |
| index | String | default | The index in which to store the gathered data. |
| monitorSubnodes | Boolean | True | Indicates whether to monitor all Registry hives beneath the specified hive. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/registry/{name}
Authentication: Not required
Manage registry monitoring {name} stanza.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes registry monitoring configuration stanza. | XML, JSON |
| GET | Gets current registry monitoring configuration stanza. | XML, JSON |
| POST | Modifies given registry monitoring stanza. | XML, JSON |
data/inputs/registry/{name} method detailNone
None
data/inputs/registry/{name} method detailNone
| Name | Description |
|---|---|
| baseline | Indicates whether to get a baseline of Registry events when Splunk Enterprise starts. |
| disabled | Indicates if the input is disabled. |
| hive | Regular expression for Registry hives that this input should monitor for Registry access.
Matches against the Registry key which was accessed. Events that contain hives that do not match the regular expression get filtered out. Events that contain hives that match the regular expression pass through. |
| index | Specifies the index that this input should send the data to.
If no value is present, defaults to the default index. |
| monitorSubnodes | Indicates whether to monitor all Registry hives beneath the specified hive. |
| proc | Regular expression for processes this input should monitor for Registry access.
It matches against the process name which performed the Registry access. Events generated by processes that do not match the regular expression get filtered out. Events generated by processes that match the regular expression pass through. |
| type | Regular expression that specifies the types of Registry events to monitor. |
data/inputs/registry/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| baseline required | Number | Specifies whether or not to establish a baseline value for the registry keys. 1 means yes, 0 no. | |
| hive required | String | Specifies the registry hive under which to monitor for changes. | |
| proc required | String | Specifies a regex. If specified, collect changes if a process name matches that regex. | |
| type required | String | A list of Registry events types that you want to monitor. Separate each type with a pipe ('|') character.
For example: set|create|delete|rename | |
| disabled | Number | Indicates whether the monitoring is disabled. | |
| index | String | default | The index in which to store the gathered data. |
| monitorSubnodes | Boolean | True | Indicates whether to monitor all Registry hives beneath the specified hive. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/script
Authentication: Not required
Provides access to scripted inputs.
| Method | Description | Formats |
|---|---|---|
| GET | Gets the configuration settings for scripted inputs. | XML, JSON |
| POST | Configures settings for new scripted inputs. | XML, JSON |
data/inputs/script method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| endtime | If available, the time when the script stopped executing. |
| group | The name of the inputstatus group, which is always "exec commands." |
| host | The host this data is identified with. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
| source | The source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. |
| sourcetype | Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. There is no hard-coded default.
For more information, see the documentation for the sourcetype parameter for the POST operation. |
| starttime | If available, the time the when the script was executed. |
data/inputs/script method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | |
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | |
| index | String | default | Sets the index for events from this input. Defaults to the main index. |
| interval required | Number | 60.0 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| name required | String | Specify the name of the scripted input. | |
| passAuth | String | User to run the script as.
If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script. | |
| rename-source | String | Specify a new name for the source field for the script. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/script/restart
Authentication: Not required
Allows for restarting scripted inputs.
| Method | Description | Formats |
|---|---|---|
| POST | Causes a restart on a given scripted input. | XML, JSON |
data/inputs/script/restart method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| script required | String | Path to the script to be restarted. This path must match an already-configured existing scripted input. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/script/{name}
Authentication: Not required
Manage the {name} scripted input.
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the scripted input specified by {name}. | XML, JSON |
| GET | Returns the configuration settings for the scripted input specified by {name}. | XML, JSON |
| POST | Configures settings for scripted input specified by {name}. | XML, JSON |
data/inputs/script/{name} method detailNone
None
data/inputs/script/{name} method detailNone
| Name | Description |
|---|---|
| disabled | Specifies whether the input script is disabled. |
| group | The name of the inputstatus group, which is always "exec commands." |
| host | The host this data is identified with. |
| index | Sets the index for events from this input. Defaults to the main index. |
| interval | An integer or cron schedule.
Specifies how often to execute the specified script, in seconds or a valid cron schedule. For a cron schedule, the script is not executed on start-up. |
data/inputs/script/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Specifies whether the input script is disabled. | |
| host | String | Sets the host for events from this input. Defaults to whatever host sent the event. | |
| index | String | default | Sets the index for events from this input. Defaults to the main index. |
| interval | Number | 60.0 | Specify an integer or cron schedule. This parameter specifies how often to execute the specified script, in seconds or a valid cron schedule. If you specify a cron schedule, the script is not executed on start-up. |
| passAuth | String | User to run the script as.
If you provide a username, Splunk Enterprise generates an auth token for that user and passes it to the script. | |
| rename-source | String | Specify a new name for the source field for the script. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieived. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Sets the sourcetype key/field for events from this input. If unset, Splunk Enterprise picks a source type based on various aspects of the data. As a convenience, the chosen string is prepended with 'sourcetype::'. There is no hard-coded default.
Sets the sourcetype key initial value. The key is used during parsing/indexing, in particular to set the source type field during indexing. It is also the source type field used at search time. Primarily used to explicitly declare the source type for this data, as opposed to allowing it to be determined using automated methods. This is typically important both for searchability and for applying the relevant configuration for this type of data during parsing and indexing. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/cooked
Authentication: Not required
Provides access to TCP inputs from forwarders.
Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
| Method | Description | Formats |
|---|---|---|
| GET | Returns information about all cooked TCP inputs. | XML, JSON |
| POST | Creates a new container for managing cooked data. | XML, JSON |
data/inputs/tcp/cooked method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Indicates if the input is disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
data/inputs/tcp/cooked method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | |
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the input is disabled. | |
| host | String | The default value to fill in for events lacking a host value. | |
| name required | Number | The port number of this input. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}
Authentication: Not required
Manage cooked TCP inputs for the {name} host or port.
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the cooked TCP inputs for port or host:port specified by {name} | XML, JSON |
| GET | Returns information for the cooked TCP input specified by {name}. If port is restricted to a host, name should be URI-encoded host:port. | XML, JSON |
| POST | Updates the container for managing cooked data. | XML, JSON |
data/inputs/tcp/cooked/{name} method detailNone
None
data/inputs/tcp/cooked/{name} method detailNone
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Indicates if the input is disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The default value to fill in for events lacking a host value. |
| index | The index in which to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
data/inputs/tcp/cooked/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | If SSL is not already configured, error is returned | |
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the input is disabled. | |
| host | String | The default value to fill in for events lacking a host value. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/cooked/{name}/connections
Authentication: Not required
Get active connections to the {name} port.
| Method | Description | Formats |
|---|---|---|
| GET | Retrieves list of active connections to the named port. | XML, JSON |
data/inputs/tcp/cooked/{name}/connections method detailNone
| Name | Description |
|---|---|
| connection | Identifies the connection to port. |
| servername | Server name of forwarder connecting to this port. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/raw
Authentication: Not required
Container for managing raw tcp inputs from forwarders.
Forwarders can transmit three types of data: raw, unparsed, or parsed. Cooked data refers to parsed and unparsed formats.
| Method | Description | Formats |
|---|---|---|
| GET | Returns information about all raw TCP inputs. | XML, JSON |
| POST | Creates a new data input for accepting raw TCP data. | XML, JSON |
data/inputs/tcp/raw method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
data/inputs/tcp/raw method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| host | String | The host from which the indexer gets data. | |
| index | String | default | The index in which to store all generated events. |
| name required | String | The input port which splunk receives raw data in. | |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | |
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | |
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | |
| SSL | Boolean | ||
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}
Authentication: Not required
Manage raw inputs for the {name} host or port.
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the raw inputs for port or host:port specified by {name} | XML, JSON |
| GET | Returns information about raw TCP input port {name}. If port is restricted to a host, name should be URI-encoded host:port. | XML, JSON |
| POST | Updates the container for managing raw data. | XML, JSON |
data/inputs/tcp/raw/{name} method detailNone
None
data/inputs/tcp/raw/{name} method detailNone
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
| restrictToHost | Restrict incoming connections on this port to the specified host. |
data/inputs/tcp/raw/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| SSL | Boolean | ||
| connection_host | Enum | dns | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| host | String | The host from which the indexer gets data. | |
| index | String | default | The index in which to store all generated events. |
| queue | Enum | Valid values: (parsingQueue | indexQueue)
Specifies where the input processor should deposit the events it reads. Defaults to parsingQueue. Set queue to Set queue to | |
| rawTcpDoneTimeout | Number | Specifies in seconds the timeout value for adding a Done-key. Default value is 10 seconds.
If a connection over the port specified by | |
| restrictToHost | String | Allows for restricting this input to only accept data from the host specified here. | |
| source | String | Sets the source key/field for events from this input. Defaults to the input file path.
Sets the source key initial value. The key is used during parsing/indexing, in particular to set the source field during indexing. It is also the source field used at search time. As a convenience, the chosen string is prepended with 'source::'. Note: Overriding the source key is generally not recommended. Typically, the input layer provides a more accurate string to aid in problem analysis and investigation, accurately recording the file from which the data was retrieved. Consider use of source types, tagging, and search wildcards before overriding this value. | |
| sourcetype | String | Set the source type for events from this input.
"sourcetype=" is automatically prepended to <string>. Defaults to audittrail (if signedaudit=true) or fschange (if signedaudit=false). |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/raw/{name}/connections
Authentication: Not required
Get active connections the the {name} host or port.
| Method | Description | Formats |
|---|---|---|
| GET | View all connections to the named data input. | XML, JSON |
data/inputs/tcp/raw/{name}/connections method detailNone
| Name | Description |
|---|---|
| connection | IP address and port of the source connecting to this TCP input port. |
| servername | DNS name of the source connecting to this TCP input port. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/ssl
Authentication: Not required
Provides access to the SSL configuration of a Splunk Enterprise server.
| Method | Description | Formats |
|---|---|---|
| GET | Returns SSL configuration. There is only one SSL configuration for all input ports. | XML, JSON |
data/inputs/tcp/ssl method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Indicates whether this input is disabled. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/tcp/ssl/{name}
Authentication: Not required
Manage SSL configuration for the {name} host.
| Method | Description | Formats |
|---|---|---|
| GET | Returns the SSL configuration for the host {name}. | XML, JSON |
| POST | Configures SSL attributes for the host {name}. | XML, JSON |
data/inputs/tcp/ssl/{name} method detailNone
| Name | Description |
|---|---|
| _rcvbuf | [Deprecated] |
| cipherSuite | Specifies list of acceptable ciphers to use in ssl. |
| disabled | Indicates whether this input is disabled. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
data/inputs/tcp/ssl/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| disabled | Boolean | Indicates whether the inputs are disabled. | |
| password | String | Server certificate password, if any. | |
| requireClientCert | Boolean | Determines whether a client must authenticate. | |
| rootCA | String | Certificate authority list (root file) | |
| serverCert | String | Full path to the server certificate. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/udp
Authentication: Not required
Provides access to UPD data inputs.
| Method | Description | Formats |
|---|---|---|
| GET | List enabled and disabled UDP data inputs. | XML, JSON |
| POST | Create a new UDP data input. | XML, JSON |
data/inputs/udp method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| _rcvbuf | Specifies socket receive buffer size in bytes. |
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
data/inputs/udp method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates if the input is disabled. | |
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | |
| index | String | default | Which index events from this input should be stored in. |
| name required | String | The UDP port that this input should listen on. | |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events. | |
| no_priority_stripping | Boolean | If set to true, Splunk Enterprise does remove the priority field from incoming syslog events. | |
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | |
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/udp/{name}
Authentication: Not required
Manage the {name} UDP host or port.
| Method | Description | Formats |
|---|---|---|
| DELETE | Disable the named UDP data input and remove it from the configuration. | XML, JSON |
| GET | List the properties of a single UDP data input port or host:port {name}. If port is restricted to a host, name should be URI-encoded host:port. | XML, JSON |
| POST | Edit properties of the named UDP data input. | XML, JSON |
data/inputs/udp/{name} method detailNone
None
data/inputs/udp/{name} method detailNone
| Name | Description |
|---|---|
| _rcvbuf | Specifies socket receive buffer size in bytes. |
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
| host | The host from which the indexer gets data. |
| index | The index in which to store generated events. |
data/inputs/udp/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| connection_host | Enum | ip | Valid values: (ip | dns | none)
Set the host for the remote server that is sending data.
Default value is |
| disabled | Boolean | Indicates if the input is disabled. | |
| host | String | The value to populate in the host field for incoming events.
This is used during parsing/indexing, in particular to set the host field. It is also the host field used at search time. | |
| index | String | default | Which index events from this input should be stored in. |
| no_appending_timestamp | Boolean | If set to true, prevents Splunk Enterprise from prepending a timestamp and hostname to incoming events. | |
| no_priority_stripping | Boolean | If set to true, Splunk Enterprise does remove the priority field from incoming syslog events. | |
| queue | String | Which queue events from this input should be sent to. Generally this does not need to be changed. | |
| restrictToHost | String | Restrict incoming connections on this port to the host specified here.
If this is not set, the value specified in [udp://<remote server>:<port>] in inputs.conf is used. | |
| source | String | The value to populate in the source field for incoming events. The same source should not be used for multiple data inputs. | |
| sourcetype | String | The value to populate in the sourcetype field for incoming events. |
None
[ Top ]
https://<host>:<mPort>/services/data/inputs/udp/{name}/connections
Authentication: Not required
List connections to the {name} host or port.
| Method | Description | Formats |
|---|---|---|
| GET | Lists connections to the named UDP input. | XML, JSON |
data/inputs/udp/{name}/connections method detailNone
| Name | Description |
|---|---|
| disabled | Indicates whether the inputs are disabled. |
| group | Set to 'listenerports' for listening ports. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/win-event-log-collections
Authentication: Not required
Provides access to all configured event log collections.
| Method | Description | Formats |
|---|---|---|
| GET | Retrieves a list of configured event log collections. | XML, JSON |
| POST | Creates of modifies existing event log collection settings. You can configure both native and WMI collection with this endpoint. | XML, JSON |
data/inputs/win-event-log-collections method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | The hosts that you are monitoring. |
| index | The index in which to store the gathered data.
If not specified defaults to the default index. |
| logs | List of event log channels to monitor. |
data/inputs/win-event-log-collections method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| hosts | String | A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | |
| index | String | default | The index in which to store the gathered data. |
| logs | String | List of event log names from which to gather data:
| |
| lookup_host required | String | The host from which to monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter. | |
| name required | String | This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI. |
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | The hosts that you are monitoring. |
| index | The index in which to store the gathered data. |
| logs | List of event log channels to monitor. |
| lookup_host | The host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is "localhost", it uses native event log collection; otherwise, it uses WMI |
[ Top ]
https://<host>:<mPort>/services/data/inputs/win-event-log-collections/{name}
Authentication: Not required
Manage the {name} Windows event log.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given event log collection. | XML, JSON |
| GET | Gets the configuration settings for a given event log collection. | XML, JSON |
| POST | Modifies existing event log collection. | XML, JSON |
data/inputs/win-event-log-collections/{name} method detailNone
None
data/inputs/win-event-log-collections/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| lookup_host | String | For internal use. Used by the UI when editing the initial host from which we gather event log data. |
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | The hosts that you are monitoring. |
| index | The index in which to store the gathered data.
If not specified defaults to the default index. |
| logs | List of event log channels to monitor. |
| lookup_host | The host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
data/inputs/win-event-log-collections/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| hosts | String | A comma-separated list of additional hosts to be used for monitoring. The first host should be specified with "lookup_host", and the additional ones using this parameter. | |
| index | String | default | The index in which to store the gathered data. |
| logs | String | A comma-separated list of event log names to gather data from. | |
| lookup_host required | String | This is a host from which we monitor log events. To specify additional hosts to be monitored using WMI, use the "hosts" parameter. |
| Name | Description |
|---|---|
| disabled | Indicates if the input is disabled. |
| hosts | The hosts that you are monitoring. |
| index | The index in which to store the gathered data. |
| logs | List of event log channels to monitor. |
| lookup_host | The host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/win-wmi-collections
Authentication: Not required
Provides access to all configured WMI collections.
| Method | Description | Formats |
|---|---|---|
| GET | Provides access to all configure WMI collections. | XML, JSON |
| POST | Creates or modifies existing WMI collection settings. | XML, JSON |
data/inputs/win-wmi-collections method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| class | The WMI performance object class being monitored. |
| disabled | Indicates whther the input is disbled. |
| fields | The WMI performance counters being monitored. |
| index | The index to which you are sending input data. |
| instances | Instances of the WMI performance counter. |
| interval | The interval, in seconds, at which the WMI provider(s) are queried. |
| name | the name of the input. |
| server | The server you are monitoring. |
| wql | The actual WQL query for monitoring the performance object. |
data/inputs/win-wmi-collections method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| classes required | String | A valid WMI class name. | |
| disabled | Number | 0 | Disables the given collection. |
| fields | String | 1. * | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | empty | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. |
| interval required | Number | The interval, in seconds, at which the WMI provider(s) is queried. | |
| lookup_host required | String | This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| name required | String | This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. | |
| server | String | localhost | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host. |
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) is queried. |
| lookup_host | The host from which to monitor log events. |
| server | Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/win-wmi-collections/{name}
Authentication: Not required
Manage the {name} WMI collection.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given collection. | XML, JSON |
| GET | Gets information about a single collection. | XML, JSON |
| POST | Modifies a given WMI collection. | XML, JSON |
data/inputs/win-wmi-collections/{name} method detailNone
None
The method returns HTTP status code = 400, if {name} does not exist.
data/inputs/win-wmi-collections/{name} method detailNone
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) is queried. |
| lookup_host | The host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
| server | Servers frpm which to gather data from. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
data/inputs/win-wmi-collections/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| classes required | String | A valid WMI class name. | |
| disabled | Number | Disables the given collection. | |
| fields | String | Properties (fields) that you want to gather from the given class.
Specify each property as a separate argument to the POST operation. | |
| index | String | The index in which to store the gathered data. | |
| instances | String | Instances of a given class for which data is gathered.
Specify each instance as a separate argument to the POST operation. | |
| interval required | Number | The interval, in seconds, at which the WMI provider(s) is queried. | |
| lookup_host required | String | This is the server from which we is gathering WMI data. If you need to gather data from more than one machine, additional servers can be specified in the 'server' parameter. | |
| server | String | A comma-separated list of additional servers that you want to gather data from. Use this if you need to gather from more than a single machine. See also lookup_host parameter. |
| Name | Description |
|---|---|
| classes | A valid WMI class name. |
| disabled | Indicates if the input is disabled. |
| fields | Properties (fields) that you want to gather from the given class. |
| index | The index in which to store the gathered data. |
| instances | Instances of a given class for which data is gathered. |
| interval | The interval, in seconds, at which the WMI provider(s) are queried. |
| lookup_host | The host from which to monitor log events. |
| name | The name of the collection. This name appears in a configuration file, as well as the source and the sourcetype of the indexed data. If the value is localhost, it uses native event log collection; otherwise, it uses WMI. |
| server | Servers from which to gather data. Used if you need to gather from more than a single machine. See also lookup_host. |
| wql | The actual WQL query for monitoring the performance object. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/win-perfmon
Authentication: Not required
Provides access to performance monitoring configuration. This input allows you to poll Windows performance monitor counters.
| Method | Description | Formats |
|---|---|---|
| GET | Gets current performance monitoring configuration. | XML, JSON |
| POST | Creates new or modifies existing performance monitoring collection settings. | XML, JSON |
data/inputs/win-perfmon method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How often, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
data/inputs/win-perfmon method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | |
| host | String | Docs-W8R2-Std7 | Name of the host for the Windows Performance Monitor. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | How frequently, in seconds, to poll for new data. | |
| name required | String | This is the name of the collection. This name appears in configuration file, as well as the source and the sourcetype of the indexed data. | |
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| source | String | Source for inputs. | |
| sourcetype | String | Source type of input. |
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| host | Name of the host for the Windows Performance Monitor. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How frequently, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
| source | Source for inputs. |
| sourcetype | Source type of the input. |
[ Top ]
https://<host>:<mPort>/services/data/inputs/win-perfmon/{name}
Authentication: Not required
Manage the {name} performance monitoring stanza.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a given monitoring stanza. | XML, JSON |
| GET | Gets settings for a given perfmon stanza. | XML, JSON |
| POST | Modifies existing monitoring stanza | XML, JSON |
data/inputs/win-perfmon/{name} method detailNone
None
data/inputs/win-perfmon/{name} method detailNone
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How often, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor. |
data/inputs/win-perfmon/{name} method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| counters | String | A set of counters to monitor. A '*' is equivalent to all counters.
Specify each counter as a separate argument to the POST operation. | |
| host | String | Docs-W8R2-Std7 | Name of the host for the Windows Performance Monitor. |
| index | String | default | The index in which to store the gathered data. |
| instances | String | A set of counter instances to monitor. A '*' is equivalent to all instances.
Specify each instance as a separate argument to the POST operation. | |
| interval | Number | How frequently, in seconds, to poll for new data. | |
| object | String | A valid performance monitor object (for example, 'Process,' 'Server,' 'PhysicalDisk.') | |
| source | String | Source for inputs. | |
| sourcetype | String | Source type of input. |
| Name | Description |
|---|---|
| counters | List of valid Performance Monitor counters. |
| disabled | Indicates whether the input is disabled. |
| host | Name of the host for the Windows Performance Monitor. |
| index | The index that this input should send data to.
If no value is present, send data to the default index. |
| instances | List of valid instances for a Performance Monitor counter. |
| interval | How frequently, in seconds, to poll for new data. |
| object | A valid Performance Monitor object as defined within Performance Monitor, |
| source | Source for inputs. |
| sourcetype | Source type of the input. |
[ Top ]
https://<host>:<mPort>/services/data/modular-inputs
Authentication: Not required
Provides access to currently defined modular inputs on the system.
| Method | Description | Formats |
|---|---|---|
| GET | Lists information about configured modular inputs. | XML, JSON |
data/modular-inputs method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| description | Provides descriptive text for title in the Splunk Manager page for Data inputs.
The description also appears on the Add new data inputs Manager page. For more information, refer to Modular inputs: Introspection scheme details. |
| endpoint | Contains one or more <arg> elements, which define the parameters to an endpoint.
For more information, refer to Modular inputs: Introspection scheme details. |
| streaming_mode | Indicates the streaming mode for the modular input.
Valid values:
For more information, refer to Modular inputs: Introspection scheme details. |
| title | The label for a modular input script.
The label appears in the Splunk Manager page for Data inputs. For more information, refer to Modular inputs: Introspection scheme details. |
For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.
[ Top ]
https://<host>:<mPort>/services/data/modular-inputs/{name}
Authentication: Not required
Get information about the {name} modular input.
| Method | Description | Formats |
|---|---|---|
| GET | Lists information about the modular input specified by {name}. | XML, JSON |
data/modular-inputs/{name} method detailNone
| Name | Description |
|---|---|
| description | The label for a modular input script.
The label appears in the Splunk Manager page for Data inputs. For more information, refer to Modular inputs: Introspcetion scheme details. |
| endpoint | Contains one or more <arg> elements, which define the parameters to an endpoint.
For more information, refer to Modular inputs: Introspcetion scheme details. |
| streaming_mode | Indicates the streaming mode for the modular input.
Valid values:
Contains one or more <arg> elements, which define the parameters to an endpoint. For more information, refer to Modular inputs: Introspcetion scheme details. |
| title | The label for a modular input script.
The label appears in the Splunk Manager page for Data inputs. For more information, refer to Modular inputs: Introspection scheme details. |
For more information on modular inputs, see Modular inputs overview in the Developing Views and Apps for Splunk Web manual.
[ Top ]
https://<host>:<mPort>/services/indexing/preview
Authentication: Not required
Preview events from a source file before you index the file.
| Method | Description | Formats |
|---|---|---|
| GET | Return a list of all data preview jobs. Data returned includes the Splunk Enterprise management URI to access each preview job. | XML, JSON |
| POST | Create a preview data job for the specified source file, returning the preview data job ID. | XML, JSON |
indexing/preview method detailNone
None
ou can also check the status of a data preview job with GET /search/jobs/{search_id} to obtain information such as the dispatchState, doneProgress, and eventCount. For more information, see GET /search/jobs/{search_id}.
Use the data preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to preview events from the source file.
Data returned includes the Splunk Enterprise management URI for each data preview job.
indexing/preview method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| input.path required | String | The absolute file path to a local file that you want to preview data returned from indexing. | |
| props.<props_attr> | String | Define a new sourcetype in props.conf for preview data that you are indexing.
Typically, you first examine preview data events returned from GET /search/jobs/{job_id}events. Then you define new sourcetypes as needed with this endpoint. |
None
Use the POST operation of this endpoint to create a data preview job and return the corresponding data preview job ID.
Use the preview job ID as the search_id parameter in GET /search/jobs/{search_id}/results_preview to obtain a data preview.
You can optionally define sourcetypes for preview data job in props.conf.
[ Top ]
https://<host>:<mPort>/services/indexing/preview/{job_id}
Authentication: Not required
Get props.conf file settings for the {job_id} job.
| Method | Description | Formats |
|---|---|---|
| GET | Returns the props.conf settings for the data preview job specified by {job_id}. | XML, JSON |
indexing/preview/{job_id} method detailNone
None
[ Top ]
https://<host>:<mPort>/services/receivers/simple
Authentication: Not required
Allows for sending events to Splunk Enterprise in an HTTP request.
| Method | Description | Formats |
|---|---|---|
| POST | Create events from the contents contained in the HTTP body. | XML, JSON |
receivers/simple method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| <arbitrary_data> required | String | Raw event text. This is the entirety of the HTTP request body. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | A regular expression used to extract the host value from each event. | |
| index | String | default | The index to send events from this input to. |
| source | String | The source value to fill in the metadata for this input's events. | |
| sourcetype | String | The sourcetype to apply to events from this input. |
None
[ Top ]
https://<host>:<mPort>/services/receivers/stream
Authentication: Not required
Open a socket to receive streaming data.
| Method | Description | Formats |
|---|---|---|
| POST | Create events from the stream of data following HTTP headers. | XML, JSON |
receivers/stream method detail| Name | Datatype | Default | Description |
|---|---|---|---|
| <data_stream> required | String | Raw event text. This does not need to be presented as a complete HTTP request, but can be streamed in as data is available. | |
| host | String | The value to populate in the host field for events from this data input. | |
| host_regex | String | A regular expression used to extract the host value from each event. | |
| index | String | The index to send events from this input to. | |
| source | String | The source value to fill in the metadata for this input's events. | |
| sourcetype | String | The sourcetype to apply to events from this input. |
None
Data transfer continues until you enter <CTRL-C>.
For streaming connections, set streaming and x-splunk-input-mode arguments in the header.
[ Top ]
curl -k -u admin:pass https://localhost:8089/services/data/inputs/ad
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/services/data/inputs/ad</id>
<updated>2011-07-29T19:13:28-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/ad/_new" rel="create"/>
<link href="/services/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>NearestDC</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/ad/NearestDC</id>
<updated>2011-07-29T19:13:28-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/ad/NearestDC/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="index">default</s:key>
<s:key name="monitorSubtree">1</s:key>
<s:key name="startingNode"/>
<s:key name="targetDc"/>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/inputs/ad -d monitorSubtree=0 -d name=newdc
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:14:57-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:22:50-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:18:18-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>newdc</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad/newdc</id>
<updated>2011-07-29T19:18:18-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/newdc/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>startingNode</s:item>
<s:item>targetDc</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>monitorSubtree</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubtree">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/ad/newdc -d monitorSubtree=1
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-admon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/ad</id>
<updated>2011-07-29T19:20:16-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/ad/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/ad/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/all
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>all</title>
<id>https://localhost:8089/services/data/inputs/all</id>
<updated>2012-10-01T16:08:24-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/all/_new" rel="create"/>
<link href="/services/data/inputs/all/_reload" rel="_reload"/>
<link href="/services/data/inputs/all/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title></title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/</id>
<updated>2012-10-01T16:08:24-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/all/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/all/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/all//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/all/" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/all//enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="host">splunks-ombra.sv.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>$SPLUNK_HOME/etc/splunk.version</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
<updated>2012-10-01T16:08:24-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/all/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_TCP_ROUTING">*</s:key>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="filecount">1</s:key>
<s:key name="host">splunks-ombra.sv.splunk.com</s:key>
<s:key name="index">_internal</s:key>
<s:key name="sourcetype">splunk_version</s:key>
</s:dict>
</content>
</entry>
. . . elided ...
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/all/twitter
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>all</title>
<id>https://localhost:8089/services/data/inputs/all</id>
<updated>2012-07-11T08:03:17-07:00</updated>
<generator build="129290" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/all/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>twitter</title>
<id>https://localhost:8089/services/data/inputs/all/twitter</id>
<updated>2012-07-11T08:03:17-07:00</updated>
<link href="/services/data/inputs/all/twitter" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/all/twitter" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="description">Get data from Twitter.</s:key>
... eai:acl nodes and eai:attribute nodes elided ...
<s:key name="endpoint">
<s:dict>
<s:key name="args">
<s:dict>
<s:key name="name">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
<s:key name="order">0</s:key>
<s:key name="title">Twitter feed name</s:key>
</s:dict>
</s:key>
<s:key name="password">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your twitter password</s:key>
<s:key name="order">2</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Password</s:key>
</s:dict>
</s:key>
<s:key name="username">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Twitter ID.</s:key>
<s:key name="order">1</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Twitter ID/Handle</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="streaming_mode">simple</s:key>
<s:key name="title">Twitter</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/monitor
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/services/data/inputs/monitor</id>
<updated>2011-07-10T14:25:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/monitor/_new" rel="create"/>
<link href="/services/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>$SPLUNK_HOME/etc/splunk.version</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version</id>
<updated>2011-07-10T14:25:53-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version" rel="edit"/>
<link href="/servicesNS/nobody/system/data/inputs/monitor/%24SPLUNK_HOME%252Fetc%252Fsplunk.version/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_TCP_ROUTING">*</s:key>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="filecount">1</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">_internal</s:key>
<s:key name="sourcetype">splunk_version</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor -d name=/var/log
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:27:57-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:35:35-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:33:54-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog</id>
<updated>2011-07-10T14:33:54-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members" rel="members"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>blacklist</s:item>
<s:item>check-index</s:item>
<s:item>check-path</s:item>
<s:item>crc-salt</s:item>
<s:item>followTail</s:item>
<s:item>host</s:item>
<s:item>host_regex</s:item>
<s:item>host_segment</s:item>
<s:item>ignore-older-than</s:item>
<s:item>index</s:item>
<s:item>recursive</s:item>
<s:item>rename-source</s:item>
<s:item>sourcetype</s:item>
<s:item>time-before-close</s:item>
<s:item>whitelist</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="filecount">108</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog -d recursive=false
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:35:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog/members
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>monitor</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor</id>
<updated>2011-07-10T14:34:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log/acpid</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid</id>
<updated>2011-07-10T14:34:28-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/monitor/%252Fvar%252Flog%252Facpid" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log/distccd.log</title>
<id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fdistccd.log" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="Bytes Indexed">7200768</s:key>
<s:key name="Offset">7200768</s:key>
<s:key name="Size">449630160</s:key>
<s:key name="Sources Indexed">0</s:key>
<s:key name="Spool Time">Fri Jul 8 01:47:53 PDT 2011</s:key>
... eai:acl node elided ...
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot -d name=/var/log/messages
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:48:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>oneshotinput</title>
<id>https://localhost:8089/services/data/inputs/oneshot</id>
<updated>2011-07-08T01:49:20-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/oneshot/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/var/log/messages</title>
<id>https://localhost:8089/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages</id>
<updated>2011-07-08T01:49:20-07:00</updated>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/oneshot/%252Fvar%252Flog%252Fmessages" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="Bytes Indexed">114822</s:key>
<s:key name="Offset">114822</s:key>
<s:key name="Size">114822</s:key>
<s:key name="Sources Indexed">0</s:key>
<s:key name="Spool Time">Fri Jul 8 01:48:04 PDT 2011</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/registry
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/services/data/inputs/registry</id>
<updated>2011-07-29T19:31:32-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/registry/_new" rel="create"/>
<link href="/services/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Machine keys</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/Machine%20keys</id>
<updated>2011-07-29T19:31:32-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/Machine%20keys/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="baseline">0</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hive">HKLM</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubnodes">1</s:key>
<s:key name="proc">c:\.*</s:key>
<s:key name="type">
<s:list>
<s:item>set</s:item>
<s:item>create</s:item>
<s:item>delete</s:item>
<s:item>rename</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry -d baseline=1 -d hive="HKU\\.*" -d name=mykeys -d proc="c:\\.*" -d type="set|create|delete|rename"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:29:18-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:36:54-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:33:21-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>mykeys</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry/mykeys</id>
<updated>2011-07-29T19:33:21-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/mykeys/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="baseline">1</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>monitorSubnodes</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>baseline</s:item>
<s:item>hive</s:item>
<s:item>proc</s:item>
<s:item>type</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="hive">HKU</s:key>
<s:key name="index">default</s:key>
<s:key name="monitorSubnodes">1</s:key>
<s:key name="proc">c:\.*</s:key>
<s:key name="type">
<s:list>
<s:item>set</s:item>
<s:item>create</s:item>
<s:item>delete</s:item>
<s:item>rename</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/registry/mykeys -d baseline=1 -d hive="HKU\\.*" -d proc="c:\\.*" -d type="set|create"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-regmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/registry</id>
<updated>2011-07-29T19:36:07-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/registry/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/registry/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/script
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/services/data/inputs/script</id>
<updated>2011-07-09T20:16:11-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/script/_new" rel="create"/>
<link href="/services/data/inputs/script/_reload" rel="_reload"/>
<link href="/services/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/Applications/splunk4.3/etc/apps/unix/bin/cpu.sh</title>
<id>https://localhost:8089/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh</id>
<updated>2011-07-09T20:16:11-07:00</updated>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="list"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh" rel="edit"/>
<link href="/servicesNS/nobody/unix/data/inputs/script/.%252Fbin%252Fcpu.sh/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="endtime">Sat Jul 9 20:15:54 2011</s:key>
<s:key name="group">exec commands</s:key>
<s:key name="host">myhost.splunk.com</s:key>
<s:key name="index">os</s:key>
<s:key name="interval">30</s:key>
<s:key name="source">cpu</s:key>
<s:key name="sourcetype">cpu</s:key>
<s:key name="starttime">Sat Jul 9 20:15:52 2011</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script -d name=/Applications/splunk4.3/etc/apps/myApp/bin/myScript.sh -d disabled=true -d interval=3600
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:25:17-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/restart -d script=/Applications/splunk/bin/scripts/myScript.sh
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:38:38-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk4.3%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:29:18-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T21:53:43-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>/Applications/splunk/etc/apps/myApp/bin/myScript.sh</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh</id>
<updated>2011-07-09T21:53:43-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>interval</s:item>
<s:item>rename-source</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">exec commands</s:key>
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
<s:key name="interval">3600</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/script/%252FApplications%252Fsplunk%252Fetc%252Fapps%252FmyApp%252Fbin%252FmyScript.sh -d interval=86400
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>script</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/script</id>
<updated>2011-07-09T20:27:59-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/script/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/script/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/script/restart" rel="restart"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/cooked
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/services/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:50:50-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/services/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>9993</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9993</id>
<updated>2011-07-10T14:50:50-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9993/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked -d name=9998
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:33-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/tiny:9998
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:54:45-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:40-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>9998</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998</id>
<updated>2011-07-10T14:52:40-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998 -d restrictToHost=tiny
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-10T14:52:54-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/9998/connections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>cooked</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked</id>
<updated>2011-07-13T14:55:18-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>Cooked:9998:127.0.0.1:20089</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089</id>
<updated>2011-07-13T14:55:18-0700</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/cooked/Cooked%3A9998%3A127.0.0.1%3A20089" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection">9998:127.0.0.1:20089</s:key>
... eai:acl node elided ...
<s:key name="servername">fool03.splunk.com</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44000</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44000</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44000/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw -d name=44343
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:31-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:37:09-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44343</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343</id>
<updated>2011-07-08T02:37:09-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/44343/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>SSL</s:item>
<s:item>connection_host</s:item>
<s:item>disabled</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>queue</s:item>
<s:item>restrictToHost</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw/44343 -d sourcetype=syslog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>raw</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/tcp/raw</id>
<updated>2011-07-08T02:30:30-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/raw/9998/connections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>raw</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw</id>
<updated>2011-07-13T16:14:33-07:00</updated>
<generator version="103477"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/raw/_new" rel="create"/>
<link href="/services/data/inputs/tcp/raw/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Raw:9998:127.0.0.1</title>
<id>https://localhost:8089/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1</id>
<updated>2011-07-13T16:14:33-07:00</updated>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="list"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1/_reload" rel="_reload"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="edit"/>
<link href="/services/data/inputs/tcp/raw/Raw%3A9998%3A127.0.0.1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="connection">9998:127.0.0.1</s:key>
... eai:acl node elided ...
<s:key name="servername"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:02:58-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title/>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
<updated>2011-07-12T15:02:58-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:04:41-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title/>
<id>https://localhost:8089/servicesNS/nobody/system/data/inputs/tcp/ssl/</id>
<updated>2011-07-12T15:04:41-07:00</updated>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="list"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl//_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/inputs/tcp/ssl/" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="cipherSuite">ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="host">ombroso-mbp15.splunk.com</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/tcp/ssl/ssl -d disabled=true
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>ssl</title>
<id>https://localhost:8089/services/data/inputs/tcp/ssl</id>
<updated>2011-07-12T15:05:42-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/tcp/ssl/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/udp
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/services/data/inputs/udp</id>
<updated>2011-07-08T14:11:57-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/udp/_new" rel="create"/>
<link href="/services/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44000</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44000</id>
<updated>2011-07-08T14:11:57-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44000/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp -d name=44321
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:13-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:27-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>44321</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321</id>
<updated>2011-07-08T14:12:27-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/connections" rel="connections"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/44321/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="_rcvbuf">1572864</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>connection_host</s:item>
<s:item>host</s:item>
<s:item>index</s:item>
<s:item>no_appending_timestamp</s:item>
<s:item>no_priority_stripping</s:item>
<s:item>queue</s:item>
<s:item>source</s:item>
<s:item>sourcetype</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="group">listenerports</s:key>
<s:key name="host">MrT</s:key>
<s:key name="index">default</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/44321 -d sourcetype=syslog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-08T14:12:47-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/9998/connections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>udp</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp</id>
<updated>2011-07-13T17:08:18-07:00</updated>
<generator version="103477"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>127.0.0.1</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/inputs/udp/127.0.0.1</id>
<updated>2011-07-13T17:08:18-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/udp/127.0.0.1" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="group">hosts</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-event-log-collections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T11:26:47-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/services/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T11:26:47-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections -d lookup_host=localhost -d name=mylogs -d logs=Application,System
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T11:56:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T11:56:24-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">localhost</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T13:45:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T12:00:38-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>mylogs</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs</id>
<updated>2011-07-27T12:00:38-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>hosts</s:item>
<s:item>index</s:item>
<s:item>logs</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>lookup_host</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="hosts"/>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application,System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">mylogs</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections/mylogs -d lookup_host=localhost -d logs=Application
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-event-log-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-event-log-collections</id>
<updated>2011-07-27T13:43:46-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-event-log-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost</id>
<updated>2011-07-27T13:43:46-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-event-log-collections/localhost" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="hosts">localhost</s:key>
<s:key name="index">default</s:key>
<s:key name="logs">
<s:list>
<s:item>Application</s:item>
<s:item>ForwardedEvents</s:item>
<s:item>HardwareEvents</s:item>
<s:item>Internet Explorer</s:item>
<s:item>Security</s:item>
<s:item>Setup</s:item>
<s:item>System</s:item>
</s:list>
</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">localhost</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-wmi-collections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:00:24-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/services/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>CPUTime</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
<updated>2011-07-27T14:00:24-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="class">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="fields">
<s:list>
<s:item>PercentProcessorTime</s:item>
<s:item>PercentUserTime</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list>
<s:item>_Total</s:item>
</s:list>
</s:key>
<s:key name="interval">3</s:key>
<s:key name="name"/>
<s:key name="server">localhost</s:key>
<s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d name=cpu
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:05:43-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>CPUTime</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime</id>
<updated>2011-07-27T14:05:43-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-wmi-collections/CPUTime" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="index">default</s:key>
<s:key name="interval">3</s:key>
<s:key name="wql">SELECT PercentProcessorTime,PercentUserTime FROM Win32_PerfFormattedData_PerfOS_Processor WHERE Name="_Total"</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:21:17-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:09:39-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>cpu</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
<updated>2011-07-27T14:09:39-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>disabled</s:item>
<s:item>fields</s:item>
<s:item>index</s:item>
<s:item>instances</s:item>
<s:item>server</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>classes</s:item>
<s:item>interval</s:item>
<s:item>lookup_host</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="fields">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">5</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">cpu</s:key>
<s:key name="server"/>
<s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu -d classes=Win32_PerfFormattedData_PerfOS_Processor -d interval=5 -d lookup_host=localhost -d server=xx.1.5.157,10.1.5.158
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-wmi-collections</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections</id>
<updated>2011-07-27T14:15:33-07:00</updated>
<generator version="103620"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>cpu</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu</id>
<updated>2011-07-27T14:15:33-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-wmi-collections/cpu" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="classes">Win32_PerfFormattedData_PerfOS_Processor</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="fields">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">5</s:key>
<s:key name="lookup_host">localhost</s:key>
<s:key name="name">cpu</s:key>
<s:key name="server"/>
<s:key name="wql">Select * from Win32_PerfFormattedData_PerfOS_Processor</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/inputs/win-perfmon
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/services/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:42:06-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/services/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:42:06-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/enable" rel="enable"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">
<s:list>
<s:item>Available Bytes</s:item>
</s:list>
</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon -d interval=4 -d name=mymemory -d object=Memory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:40:38-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:40:38-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">Available Bytes</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="instances"/>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:47:06-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:44:21-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>mymemory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory</id>
<updated>2011-07-29T19:44:21-07:00</updated>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="list"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="edit"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory" rel="remove"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">
<s:list/>
</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>counters</s:item>
<s:item>disabled</s:item>
<s:item>index</s:item>
<s:item>instances</s:item>
<s:item>interval</s:item>
<s:item>object</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="index">default</s:key>
<s:key name="instances">
<s:list/>
</s:key>
<s:key name="interval">4</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/inputs/win-perfmon/mymemory -d interval=10
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>win-perfmon</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/search/data/inputs/win-perfmon</id>
<updated>2011-07-29T19:45:59-07:00</updated>
<generator version="104976"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/inputs/win-perfmon/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Available Memory</title>
<id>https://10.1.5.157:8089/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory</id>
<updated>2011-07-29T19:45:59-07:00</updated>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="list"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/windows/data/inputs/win-perfmon/Available%20Memory" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="counters">Available Bytes</s:key>
<s:key name="disabled">1</s:key>
... eai:acl node elided ...
<s:key name="instances"/>
<s:key name="interval">10</s:key>
<s:key name="object">Memory</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/modular-inputs
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>modular-inputs</title>
<id>https://localhost:8089/services/data/modular-inputs</id>
<updated>2012-07-09T09:12:41-07:00</updated>
<generator build="129290" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>s3</title>
<id>https://localhost:8089/services/data/modular-inputs/s3</id>
<updated>2012-07-09T09:12:41-07:00</updated>
<link href="/services/data/modular-inputs/s3" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/modular-inputs/s3" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="description">Get data from Amazon S3.</s:key>
... eai:acl node elided ...
<s:key name="endpoint">
<s:dict>
<s:key name="args">
<s:dict>
<s:key name="key_id">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Amazon key ID.</s:key>
<s:key name="order">1</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Key ID</s:key>
</s:dict>
</s:key>
<s:key name="name">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description"><![CDATA[An S3 resource name without the leading s3://. For example, for s3://bucket/file.txt specify bucket/file.txt. You can also monitor a whole bucket (for example by specifying 'bucket'), or files within a sub-directory of a bucket (for example 'bucket/some/directory/'; note the trailing slash).]]></s:key>
<s:key name="order">0</s:key>
<s:key name="title">Resource name</s:key>
</s:dict>
</s:key>
<s:key name="secret_key">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Amazon secret key.</s:key>
<s:key name="order">2</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Secret key</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="streaming_mode">xml</s:key>
<s:key name="title">Amazon S3</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>twitter</title>
<id>https://localhost:8089/services/data/modular-inputs/twitter</id>
. . . elided . . .
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/modular-inputs/twitter
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>modular-inputs</title>
<id>https://localhost:8089/services/data/modular-inputs</id>
<updated>2012-07-09T11:07:29-07:00</updated>
<generator build="129290" version="5.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>twitter</title>
<id>https://localhost:8089/services/data/modular-inputs/twitter</id>
<updated>2012-07-09T11:07:29-07:00</updated>
<link href="/services/data/modular-inputs/twitter" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/modular-inputs/twitter" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="description">Get data from Twitter.</s:key>
... eai:acl and eai:attribute nodes elided ...
<s:key name="endpoint">
<s:dict>
<s:key name="args">
<s:dict>
<s:key name="name">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Name of the current feed using the user credentials supplied.</s:key>
<s:key name="order">0</s:key>
<s:key name="title">Twitter feed name</s:key>
</s:dict>
</s:key>
<s:key name="password">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your twitter password</s:key>
<s:key name="order">2</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Password</s:key>
</s:dict>
</s:key>
<s:key name="username">
<s:dict>
<s:key name="data_type">string</s:key>
<s:key name="description">Your Twitter ID.</s:key>
<s:key name="order">1</s:key>
<s:key name="required_on_create">1</s:key>
<s:key name="required_on_edit">0</s:key>
<s:key name="title">Twitter ID/Handle</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="streaming_mode">simple</s:key>
<s:key name="title">Twitter</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/indexing/preview
feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>preview</title>
<id>https://localhost:8089/services/indexing/preview</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>1322518170.8</title>
<id>https://localhost:8089/services/indexing/preview/1322518170.8</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322518170.8" rel="alternate"/>
<link href="/services/search/jobs/1322518170.8" rel="job"/>
</entry>
<entry>
<title>1322519686.9</title>
<id>https://localhost:8089/services/indexing/preview/1322519686.9</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322519686.9" rel="alternate"/>
<link href="/services/search/jobs/1322519686.9" rel="job"/>
</entry>
<entry>
<title>1322519724.10</title>
<id>https://localhost:8089/services/indexing/preview/1322519724.10</id>
<updated>2011-11-28T14:35:35-08:00</updated>
<link href="/services/indexing/preview/1322519724.10" rel="alternate"/>
<link href="/services/search/jobs/1322519724.10" rel="job"/>
</entry>
</feed></pre>
curl -k -u admin:pass https://localhost:8089/services/indexing/preview -d input.path=/Applications/splunk/var/log/splunk/metrics.log
<response>
<messages>
<msg type='INFO'>1319496093.11</msg>
</messages>
</response>
curl -k -u admin:pass https://localhost:8089/services/indexing/preview/1319496093.11
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>1319496093.11</title>
<id>https://localhost:8089/services/indexing/preview/1319496093.11</id>
<updated>2011-10-24T15:44:09-07:00</updated>
<link href="/services/indexing/preview/1319496093.11" rel="alternate"/>
<content type="text/xml">
<s:dict>
<s:key name="explicit">
<s:dict>
<s:key name="PREFERRED_SOURCETYPE">
<s:dict>
<s:key name="value">splunkd</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="inherited">
<s:dict>
<s:key name="ANNOTATE_PUNCT">
<s:dict>
<s:key name="value">True</s:key>
<s:key name="stanza">default</s:key>
</s:dict>
</s:key>
. . . elided . . .
<s:key name="sourcetype">
<s:dict>
<s:key name="value">splunkd</s:key>
<s:key name="stanza">source::.../var/log/splunk/metrics.log(.\d+)?</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
</s:dict>
</content>
<link href="/services/search/jobs/1319496093.11" rel="job"/>
</entry>
curl -k -u admin:pass "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" -d "Sun Jul 10 15:56:02 PDT 2011 User myusername logged in successfully."
<response>
<results>
<result>
<field k="_index">
<value>
<text>default</text>
</value>
</field>
<field k="bytes">
<value>
<text>67</text>
</value>
</field>
<field k="host">
<value>
<text>127.0.0.1</text>
</value>
</field>
<field k="source">
<value>
<text>www</text>
</value>
</field>
<field k="sourcetype">
<value>
<text>web_event</text>
</value>
</field>
</result>
</results>
</response>
import httplib, time
conn = httplib.HTTPSConnection("localhost", 8089)
conn.connect()
conn.putrequest("POST", "/services/receivers/stream?source=www&sourcetype=web_data")
conn.putheader("Authorization", "Splunk 67bed982ce1af9ba2e393b15ed63c916")
conn.putheader("x-splunk-input-mode", "streaming")
conn.endheaders()
while True:
conn.send("%s A sample event.\n" % time.asctime())
time.sleep(1)
Streamed data
Get information about the system.
https://<host>:<mPort>/services/data/index-volumes
Authentication: Not required
Provides information about the volume (logical drives) in use by Splunk Enterprise.
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.
At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects]
collectionPeriodInSecs = 600
| Method | Description | Formats |
|---|---|---|
| GET | List the Splunk Enterprise volume(s). | XML, JSON |
data/index-volumes method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| max_size | Maximum name volume size limit (MB):
|
| name | Volume name. |
| total_size | Total name volume capacity (MB). If max_size is infinite, this field is not listed.
|
[ Top ]
https://<host>:<mPort>/services/data/index-volumes/{name}
Authentication: Not required
Provides information about a particular volume (logical drive).
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.
At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects]
collectionPeriodInSecs = 600
| Method | Description | Formats |
|---|---|---|
| GET | List specified volume properties. | XML, JSON |
data/index-volumes/{name} method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| max_size | Maximum name volume size limit (MB):
|
| name | Volume name. |
| total_size | Total name volume capacity (MB). If max_size is infinite, this field is not listed.
|
[ Top ]
https://<host>:<mPort>/services/data/indexes
Authentication: Not required
Provides services to create and manage data indexes.
| Method | Description | Formats |
|---|---|---|
| GET | Lists the recognized indexes on the server. | XML, JSON |
| POST | Creates a new index with the given name. | XML, JSON |
data/indexes method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| assureUTF8 | Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.
This is a global setting, not a per index setting. |
| blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
| blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
| coldPath | Filepath to the cold databases for the index. |
| coldPath_expanded | Absoute filepath to the cold databases. |
| coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
| coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
| compressRawdata | This value is ignored. splunkd process always compresses raw data. |
| currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
| defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
| disabled | Indicates if the index is disabled. |
| enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
| frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
| homePath | An absolute path that contains the hot and warm buckets for the index. |
| homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
| indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
| isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
| lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
| maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
| maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
| maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
| maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
| maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
| maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
| maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
| maxRunningProcessGroups | Maximum number of processes that the indexer fires off at a time.
This is a global setting, not a per index setting. |
| maxTime | UNIX timestamp of the newest event time in the index. |
| maxTotalDataSizeMB | The maximum size of an index, in MB. |
| maxWarmDBCount | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
| memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
| minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
| minTime | UNIX timestamp of the oldest event time in the index. |
| partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
| quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
| quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
| rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
| rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
| serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
| summarize | If true, leaves out certain index details, which provides a faster response. |
| suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
| sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
| syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
| thawedPath | An absolute path that contains the thawed (resurrected) databases for the index. |
| thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
| throttleCheckPeriod | Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
| totalEventCount | Total number of events in the index. |
data/indexes method detail| Name | Type | Default | Description |
|---|---|---|---|
| blockSignSize | Number | 0 | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
| bucketRebuildMemoryHint | String | auto | Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make.
Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value,
Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent. |
| coldPath | String | An absolute path that contains the colddbs for the index. The path must be readable and writable. Cold databases are opened as needed when searching. May be defined in terms of a volume definition (see volume section below).
Required. Splunk Enterprise does not start if an index lacks a valid coldPath. | |
| coldToFrozenDir | String | Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence | |
| coldToFrozenScript | String | Path to the archiving script.
If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk Enterprise ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following:
By default, the example script has two possible behaviors when archiving:
| |
| compressRawdata | Boolean | true | This parameter is ignored. The splunkd process always compresses raw data. |
| enableOnlineBucketRepair | Boolean | true | Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk.
When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation. |
| frozenTimePeriodInSecs | Number | 188697600 | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
| homePath | String | An absolute path that contains the hot and warm buckets for the index.
Required. Splunk Enterprise does not start if an index lacks a valid homePath. CAUTION: Path MUST be readable and writable. | |
| maxBloomBackfillBucketAge | Number | 30d | Valid values are: Integer[m|s|h|d]
If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it. |
| maxConcurrentOptimizes | Number | 6 | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
| maxDataSize | Number | auto | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
| maxHotBuckets | Number | 3 | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
| maxHotIdleSecs | Number | 0 | Maximum life, in seconds, of a hot bucket. Defaults to 0.
If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time). |
| maxHotSpanSecs | Number | 7776000 | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
| maxMemMB | Number | 5 | The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance. |
| maxMetaEntries | Number | 1000000 | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
| maxTimeUnreplicatedNoAcks | Number | 300 | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
| maxTimeUnreplicatedWithAcks | Number | 60 | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
| maxTotalDataSizeMB | Number | 500000 | The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen. |
| maxWarmDBCount | Number | 300 | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times is moved to cold. |
| minRawFileSyncSecs | Number | disable | Specify an integer (or "disable") for this parameter.
This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed |
| minStreamGroupQueueSize | Number | 2000 | Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Caution: Do not set this value, except under advice from Splunk Support. |
| name required | String | The name of the index to create. | |
| partialServiceMetaPeriod | Number | 0 | Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.
If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero). |
| processTrackerServiceInterval | Number | 1 | Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.
If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295. |
| quarantineFutureSecs | Number | 2592000 | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
| quarantinePastSecs | Number | 77760000 | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
| rawChunkSizeBytes | Number | 131072 | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support. |
| repFactor | String | 0 | Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.
|
| rotatePeriodInSecs | Number | 60 | How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen. |
| serviceMetaPeriod | Number | 25 | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
| syncMeta | Boolean | true | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of a Splunk Support. |
| thawedPath | String | An absolute path that contains the thawed (resurrected) databases for the index.
Cannot be defined in terms of a volume definition. Required. Splunk Enterprise does not start if an index lacks a valid | |
| throttleCheckPeriod | Number | 15 | Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
| tstatsHomePath | String | Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.
If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats | |
| warmToColdScript | String | Path to a script to run when moving data from warm to cold.
This attribute is supported for backwards compatibility with Splunk Enterprise versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration is not used. |
| Name | Description |
|---|---|
| assureUTF8 | Boolean value indicating wheter all data retreived from the index is proper UTF8.
If enabled (set to True), degrades indexing performance Can only be set globally. |
| blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
| blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
| bucketRebuildMemoryHint | Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make. |
| coldPath | Filepath to the cold databases for the index. |
| coldPath_expanded | Absoute filepath to the cold databases. |
| coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
| coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
| compressRawdata | This value is ignored. splunkd process always compresses raw data. |
| currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
| defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
| enableOnlineBucketRepair | Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk. |
| enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
| frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
| homePath | An absolute path that contains the hot and warm buckets for the index. |
| homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
| indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
| isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
| lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
| maxBloomBackfillBucketAge | If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter. |
| maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
| maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
| maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
| maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
| maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
| maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
| maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
| maxTime | UNIX timestamp of the newest event time in the index. |
| maxTimeUnreplicatedNoAcks | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
| maxTimeUnreplicatedWithAcks | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
| maxTotalDataSizeMB | The maximum size of an index, in MB. |
| maxWarmDBCount | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
| memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
| minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
| minStreamGroupQueueSize | Minimum size of the queue that stores events in memory before committing them to a tsidx file. |
| minTime | UNIX timestamp of the oldest event time in the index. |
| partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
| processTrackerServiceInterval | How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. |
| quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
| quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
| rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
| repFactor | Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.
|
| rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
| serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
| suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
| sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
| syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
| thawedPath | Filepath to the thawed (resurrected) databases for the index. |
| thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
| throttleCheckPeriod | Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
| totalEventCount | Total number of events in the index. |
| tstatsHomePath | Location where datamodel acceleration TSIDX data for this index is stored. |
| warmToColdScript | Script to run when moving data from warm to cold. See input parameter description for details. |
[ Top ]
https://<host>:<mPort>/services/data/indexes/{name}
Authentication: Not required
Manage {name} index.
| Method | Description | Formats |
|---|---|---|
| DELETE | Removes the index specified by {name} (not just the data contained in it). | XML, JSON |
| GET | Retrieves information about the named index. | XML, JSON |
| POST | Updates the data index specified by {name} with information specified with index attributes. | XML, JSON |
data/indexes/{name} method detailNone
None
Before executing this operation, look through all inputs.conf files (on your indexer and on any forwarders sending data to the indexer) and make sure that none of the stanzas are directing data to the index you plan to delete.
In other words, if you want to delete an index called "nogood," make sure the attribute/value pair index=nogood does not appear in any input stanzas. Once the index is deleted, Splunk Enterprise discards any data sent to that index.
For information on deleting indexes and deleting data from indexes, refer to Remove data from Splunk Enterprise in the Splunk Managing Indexers and Clusters manual.
The method returns HTTP status code = 409, if {name} was disabled but Splunk Enterprise was not restarted. Restart Splunk Enterprise and try again.
data/indexes/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| summarize | Boolean | false | [Optional] Response type:
|
| Name | Description |
|---|---|
| assureUTF8 | Indicates whether all data retreived from the index is proper UTF8. If enabled (set to True), degrades indexing performance.
This is a global setting, not a per index setting. |
| blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
| blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
| bloomfilterTotalSizeKB | Total size of all bloom filter files, in KB. |
| coldPath | Filepath to the cold databases for the index. |
| coldPath_expanded | Absoute filepath to the cold databases. |
| coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
| coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
| compressRawdata | This value is ignored. splunkd process always compresses raw data. |
| currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
| defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
| disabled | Indicates if the index is disabled. |
| enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
| frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
| homePath | An absolute path that contains the hot and warm buckets for the index. |
| homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
| indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
| isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
| lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
| maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
| maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
| maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
| maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
| maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
| maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
| maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
| maxRunningProcessGroups | Maximum number of processes that the indexer fires off at a time.
This is a global setting, not a per index setting. |
| maxTime | UNIX timestamp of the newest event time in the index. |
| maxTotalDataSizeMB | The maximum size of an index, in MB. |
| maxWarmDBCount | Maximum number of warm buckets. |
| memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
| minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
| minTime | UNIX timestamp of the oldest event time in the index. |
| numBloomfilters | The number of bloom filters created for this index. |
| numHotBuckets | The number of hot buckets created for this index. |
| numWarmBuckets | The number of warm buckets created for this index. |
| partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
| quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" that are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
| quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
| rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
| rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
| serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
| summarize | If true, leaves out certain index details, which provides a faster response. |
| suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
| sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
| syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
| thawedPath | An absolute path that contains the thawed (resurrected) databases for the index. |
| thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
| throttleCheckPeriod | Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
| totalEventCount | Total number of events in the index. |
data/indexes/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| blockSignSize | Number | 0 | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
| bucketRebuildMemoryHint | String | auto | Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make.
Caution: This is an advanced parameter. Inappropriate use of this parameter causes splunkd to not start if rebuild is required. Do not set this parameter unless instructed by Splunk Support. Default value,
Values other than "auto" must be 16MB-1GB. Highest legal value (of the numerical part) is 4294967295 You can specify the value using a size suffix: "16777216" or "16MB" are equivalent. |
| coldToFrozenDir | String | Destination path for the frozen archive. Use as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence | |
| coldToFrozenScript | String | Path to the archiving script.
If your script requires a program to run it (for example, python), specify the program followed by the path. The script must be in $SPLUNK_HOME/bin or one of its subdirectories. Splunk Enterprise ships with an example archiving script in $SPLUNK_HOME/bin called coldToFrozenExample.py. Splunk DOES NOT recommend using this example script directly. It uses a default path, and if modified in place any changes are overwritten on upgrade. Splunk recommends copying the example script to a new file in bin and modifying it for your system. Most importantly, change the default archive path to an existing directory that fits your needs. If your new script in bin/ is named myColdToFrozen.py, set this key to the following:
By default, the example script has two possible behaviors when archiving:
| |
| compressRawdata | Boolean | true | This parameter is ignored. The splunkd process always compresses raw data. |
| enableOnlineBucketRepair | Boolean | true | Enables asynchronous "online fsck" bucket repair, which runs concurrently with Splunk.
When enabled, you do not have to wait until buckets are repaired to start Splunk. However, you might observe a slight performance degratation. |
| frozenTimePeriodInSecs | Number | 188697600 | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
| maxBloomBackfillBucketAge | Number | 30d | Valid values are: Integer[m|s|h|d]
If a warm or cold bucket is older than the specified age, do not create or rebuild its bloomfilter. Specify 0 to never rebuild bloomfilters. For example, if a bucket is older than specified with maxBloomBackfillBucketAge, and the rebuilding of its bloomfilter started but did not finish, do not rebuild it. |
| maxConcurrentOptimizes | Number | 6 | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
| maxDataSize | Number | auto | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended).Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" would typically be considered one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
| maxHotBuckets | Number | 3 | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
| maxHotIdleSecs | Number | 0 | Maximum life, in seconds, of a hot bucket. Defaults to 0.
If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. A value of 0 turns off the idle check (equivalent to INFINITE idle time). |
| maxHotSpanSecs | Number | 7776000 | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note:I f you set this too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
| maxMemMB | Number | 5 | The amount of memory, expressed in MB, to allocate for buffering a single tsidx file into memory before flushing to disk. Defaults to 5. The default is recommended for all environments.
IMPORTANT: Calculate this number carefully. Setting this number incorrectly may have adverse effects on your systems memory and/or splunkd stability/performance. |
| maxMetaEntries | Number | 1000000 | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
| maxTimeUnreplicatedNoAcks | Number | 300 | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
| maxTimeUnreplicatedWithAcks | Number | 60 | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
| maxTotalDataSizeMB | Number | 500000 | The maximum size of an index (in MB). If an index grows larger than the maximum size, the oldest data is frozen. |
| maxWarmDBCount | Number | 300 | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
| minRawFileSyncSecs | Number | disable | Specify an integer (or "disable") for this parameter.
This parameter sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. Note: Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed |
| minStreamGroupQueueSize | Number | 2000 | Minimum size of the queue that stores events in memory before committing them to a tsidx file.
Caution: Do not set this value, except under advice from Splunk Support. |
| partialServiceMetaPeriod | Number | 0 | Related to serviceMetaPeriod. If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod.
If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. By default it is turned off (zero). |
| processTrackerServiceInterval | Number | 1 | Specifies, in seconds, how often the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. Defaults to 15.
If set to 0, the indexer checks child process status every second. Highest legal value is 4294967295. |
| quarantineFutureSecs | Number | 2592000 | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
| quarantinePastSecs | Number | 77760000 | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
| rawChunkSizeBytes | Number | 131072 | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. WARNING: This is an advanced parameter. Only change it if you are instructed to do so by Splunk Support. |
| repFactor | String | 0 | Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.
|
| rotatePeriodInSecs | Number | 60 | How frequently (in seconds) to check if a new hot bucket needs to be created. Also, how frequently to check if there are any warm/cold buckets that should be rolled/frozen. |
| serviceMetaPeriod | Number | 25 | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
| syncMeta | Boolean | true | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of a Splunk Support. |
| throttleCheckPeriod | Number | 15 | Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
| tstatsHomePath | String | Location to store datamodel acceleration TSIDX data for this index. Restart splunkd after changing this parameter.
If specified, it must be defined in terms of a volume definition. Caution: Path must be writable. Default value: volume:_splunk_summaries/$_index_name/tstats | |
| warmToColdScript | String | Path to a script to run when moving data from warm to cold.
This attribute is supported for backwards compatibility with Splunk Enterprise versions older than 4.0. Contact Splunk support if you need help configuring this setting. Caution: Migrating data across filesystems is now handled natively by splunkd. If you specify a script here, the script becomes responsible for moving the event data, and Splunk-native data migration are not used. |
| Name | Description |
|---|---|
| assureUTF8 | Boolean value indicating wheter all data retreived from the index is proper UTF8.
If enabled (set to True), degrades indexing performance Can only be set globally. |
| blockSignSize | Controls how many events make up a block for block signatures.
If this is set to 0, block signing is disabled for this index. A recommended value is 100. |
| blockSignatureDatabase | The index that stores block signatures of events.
This is a global setting, not a per index setting. |
| bucketRebuildMemoryHint | Suggestion for the Splunk Enterprise bucket rebuild process for the size of the time-series (tsidx) file to make. |
| coldPath | Filepath to the cold databases for the index. |
| coldPath_expanded | Absoute filepath to the cold databases. |
| coldToFrozenDir | Destination path for the frozen archive. Used as an alternative to a coldToFrozenScript. Splunk Enterprise automatically puts frozen buckets in this directory.
Bucket freezing policy is as follows:
If both coldToFrozenDir and coldToFrozenScript are specified, coldToFrozenDir takes precedence. |
| coldToFrozenScript | Path to the archiving script.
See the POST parameter description for details. |
| compressRawdata | This value is ignored. splunkd process always compresses raw data. |
| currentDBSizeMB | Total size, in MB, of data stored in the index. The total incudes data in the home, cold and thawed paths. |
| defaultDatabase | If no index destination information is available in the input data, the index shown here is the destination of such data. |
| enableOnlineBucketRepair | Indicates whether to run asynchronous "online fsck" bucket repair, which runs in a process concurrently with Splunk. |
| enableRealtimeSearch | Indicates if this is a real-time search.
This is a global setting, not a per index setting. |
| frozenTimePeriodInSecs | Number of seconds after which indexed data rolls to frozen. Defaults to 188697600 (6 years).
Freezing data means it is removed from the index. If you need to archive your data, refer to coldToFrozenDir and coldToFrozenScript parameter documentation. |
| homePath | An absolute path that contains the hot and warm buckets for the index. |
| homePath_expanded | An absolute filepath to the hot and warm buckets for the index. |
| indexThreads | Number of threads used for indexing.
This is a global setting, not a per index setting. |
| isInternal | Indicates if this is an internal index (for example, _internal, _audit). |
| lastInitTime | Last time the index processor was successfully initialized.
This is a global setting, not a per index setting. |
| maxBloomBackfillBucketAge | If a bucket (warm or cold) is older than this, Splunk Enterprise does not create (or re-create) its bloom filter. |
| maxConcurrentOptimizes | The number of concurrent optimize processes that can run against a hot bucket.
This number should be increased if instructed by Splunk Support. Typically the default value should suffice. |
| maxDataSize | The maximum size in MB for a hot DB to reach before a roll to warm is triggered. Specifying "auto" or "auto_high_volume" causes Splunk Enterprise to autotune this parameter (recommended). Use "auto_high_volume" for high volume indexes (such as the main index); otherwise, use "auto". A "high volume index" is typically one that gets over 10GB of data per day.
Although the maximum value you can set this is 1048576 MB, which corresponds to 1 TB, a reasonable number ranges anywhere from 100 - 50000. Any number outside this range should be approved by Splunk Support before proceeding. If you specify an invalid number or string, maxDataSize is auto-tuned. Note: The precise size of your warm buckets may vary from maxDataSize, due to post-processing and timing issues with the rolling policy. |
| maxHotBuckets | Maximum hot buckets that can exist per index. Defaults to 3.
When maxHotBuckets is exceeded, Splunk Enterprise rolls the least recently used (LRU) hot bucket to warm. Both normal hot buckets and quarantined hot buckets count towards this total. This setting operates independently of maxHotIdleSecs, which can also cause hot buckets to roll. |
| maxHotIdleSecs | Maximum life, in seconds, of a hot bucket. Defaults to 0. A value of 0 turns off the idle check (equivalent to INFINITE idle time).
If a hot bucket exceeds maxHotIdleSecs, Splunk Enterprise rolls it to warm. This setting operates independently of maxHotBuckets, which can also cause hot buckets to roll. |
| maxHotSpanSecs | Upper bound of target maximum timespan of hot/warm buckets in seconds. Defaults to 7776000 seconds (90 days).
Note: If set too small, you can get an explosion of hot/warm buckets in the filesystem. The system sets a lower bound implicitly for this parameter at 3600, but this is an advanced parameter that should be set with care and understanding of the characteristics of your data. |
| maxMemMB | The amount of memory, in MB, allocated for indexing.
This is a global setting, not a per index setting. |
| maxMetaEntries | Sets the maximum number of unique lines in .data files in a bucket, which may help to reduce memory consumption. If set to 0, this setting is ignored (it is treated as infinite).
If exceeded, a hot bucket is rolled to prevent further increase. If your buckets are rolling due to Strings.data hitting this limit, the culprit may be the punct field in your data. If you do not use punct, it may be best to simply disable this (see props.conf.spec in $SPLUNK_HOME/etc/system/README). There is a small time delta between when maximum is exceeded and bucket is rolled. This means a bucket may end up with epsilon more lines than specified, but this is not a major concern unless excess is significant. |
| maxTime | UNIX timestamp of the newest event time in the index. |
| maxTimeUnreplicatedNoAcks | Upper limit, in seconds, on how long an event can sit in raw slice. Applies only if replication is enabled for this index. Otherwise ignored.
If there are any acknowledged events sharing this raw slice, this paramater does not apply. In this case, maxTimeUnreplicatedWithAcks applies. Highest legal value is 2147483647. To disable this parameter, set to 0. Note: this is an advanced parameter. Understand the consequences before changing. |
| maxTimeUnreplicatedWithAcks | Upper limit, in seconds, on how long events can sit unacknowledged in a raw slice. Applies only if you have enabled acks on forwarders and have replication enabled (with clustering).
Note: This is an advanced parameter. Make sure you understand the settings on all forwarders before changing this. This number should not exceed ack timeout configured on any forwarder, and should actually be set to at most half of the minimum value of that timeout. You can find this setting in outputs.conf readTimeout setting under the tcpout stanza. To disable, set to 0, but this is NOT recommended. Highest legal value is 2147483647. |
| maxTotalDataSizeMB | The maximum size of an index, in MB. |
| maxWarmDBCount | The maximum number of warm buckets. If this number is exceeded, the warm bucket/s with the lowest value for their latest times are moved to cold. |
| memPoolMB | Determines how much memory is given to the indexer memory pool.
This is a global setting, not a per-index setting. |
| minRawFileSyncSecs | Can be either an integer (or "disable"). Some filesystems are very inefficient at performing sync operations, so only enable this if you are sure it is needed
The integer sets how frequently splunkd forces a filesystem sync while compressing journal slices. During this period, uncompressed slices are left on disk even after they are compressed. Then splunkd forces a filesystem sync of the compressed journal and removes the accumulated uncompressed files. If 0 is specified, splunkd forces a filesystem sync after every slice completes compressing. Specifying "disable" disables syncing entirely: uncompressed slices are removed as soon as compression is complete. |
| minStreamGroupQueueSize | Minimum size of the queue that stores events in memory before committing them to a tsidx file. |
| minTime | UNIX timestamp of the oldest event time in the index. |
| partialServiceMetaPeriod | Related to serviceMetaPeriod. By default it is turned off (zero).
If set, it enables metadata sync every <integer> seconds, but only for records where the sync can be done efficiently in-place, without requiring a full re-write of the metadata file. Records that require full re-write are be sync'ed at serviceMetaPeriod. partialServiceMetaPeriod specifies, in seconds, how frequently it should sync. Zero means that this feature is turned off and serviceMetaPeriod is the only time when metadata sync happens. If the value of partialServiceMetaPeriod is greater than serviceMetaPeriod, this setting has no effect. |
| processTrackerServiceInterval | How often, in seconds, the indexer checks the status of the child OS processes it launched to see if it can launch new processes for queued requests. |
| quarantineFutureSecs | Events with timestamp of quarantineFutureSecs newer than "now" are dropped into quarantine bucket. Defaults to 2592000 (30 days).
This is a mechanism to prevent main hot buckets from being polluted with fringe events. |
| quarantinePastSecs | Events with timestamp of quarantinePastSecs older than "now" are dropped into quarantine bucket. Defaults to 77760000 (900 days).
This is a mechanism to prevent the main hot buckets from being polluted with fringe events. |
| rawChunkSizeBytes | Target uncompressed size in bytes for individual raw slice in the rawdata journal of the index. Defaults to 131072 (128KB). 0 is not a valid value. If 0 is specified, rawChunkSizeBytes is set to the default value.
Note: rawChunkSizeBytes only specifies a target chunk size. The actual chunk size may be slightly larger by an amount proportional to an individual event size. Warning: This is an advanced parameter. Only change it if instructed to do so by Splunk Support. |
| repFactor | Index replication control. This parameter applies to only Splunk Enterprise clustering slaves.
|
| rotatePeriodInSecs | Rotation period, in seconds, that specifies how frequently to check:
|
| serviceMetaPeriod | Defines how frequently metadata is synced to disk, in seconds. Defaults to 25 (seconds).
You may want to set this to a higher value if the sum of your metadata file sizes is larger than many tens of megabytes, to avoid the hit on I/O in the indexing fast path. |
| suppressBannerList | List of indexes for which we suppress "index missing" warning banner messages.
This is a global setting, not a per index setting. |
| sync | Specifies the number of events that trigger the indexer to sync events.
This is a global setting, not a per index setting. |
| syncMeta | When true, a sync operation is called before file descriptor is closed on metadata file updates. This functionality improves integrity of metadata files, especially in regards to operating system crashes/machine failures.
Note: Do not change this parameter without the input of Splunk Support. |
| thawedPath | Filepath to the thawed (resurrected) databases for the index. |
| thawedPath_expanded | Absolute filepath to the thawed (resurrected) databases. |
| throttleCheckPeriod | Defines how frequently Splunk Enterprise checks for index throttling condition, in seconds. Defaults to 15 (seconds).
Note: Do not change this parameter without the input of Splunk Support. |
| totalEventCount | Total number of events in the index. |
| tstatsHomePath | Location where datamodel acceleration TSIDX data for this index is stored. |
| warmToColdScript | Script to run when moving data from warm to cold. See input parameter description for details. |
[ Top ]
https://<host>:<mPort>/services/data/indexes-extended
Authentication: Not required
Provide Splunk Enterprise index bucket-level information. There are three bucket super-directories per index:
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects]
collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | List bucket attributes for all indices. | XML, JSON |
data/indexes-extended method detailPagination and filtering parameters can be used with this method.
| Name | Description | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| bucket_dirs | (If total_size > 0) List the following attributes for each index bucket super-directory (home, cold, thawed) as indicated:
| ||||||||||||||||||||||||||||||||||||||||
| name | Index name. | ||||||||||||||||||||||||||||||||||||||||
| total_bucket_count | (If total_size > 0) Number of index buckets.
| ||||||||||||||||||||||||||||||||||||||||
| total_event_count | (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
| ||||||||||||||||||||||||||||||||||||||||
| total_raw_size | (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.
| ||||||||||||||||||||||||||||||||||||||||
| total_size | Size (fractional MB) on disk of this index. |
[ Top ]
https://<host>:<mPort>/services/data/indexes-extended/{name}
Authentication: Not required
Provide bucket-level information for the specified index. There are three bucket super-directories per index:
The default update period is 10 minutes, as defined by the collectionPeriodInSecs attribute in the $SPLUNK_HOME/etc/apps/introspection_generator_addon/default/server.conf file.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects]
collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | List bucket attributes for the specified index. | XML, JSON |
data/indexes-extended/{name} method detailNone
| Name | Description | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| bucket_dirs | (If total_size > 0) List the following attributes for each index bucket super-directory (home, cold, thawed) as indicated:
| ||||||||||||||||||||||||||||||||||||||||
| name | Index name. | ||||||||||||||||||||||||||||||||||||||||
| total_bucket_count | (If total_size > 0) Number of index buckets.
| ||||||||||||||||||||||||||||||||||||||||
| total_event_count | (If total_size > 0) Number of events for index, excluding frozen events. Approximately equal to the event_count sum of all buckets.
| ||||||||||||||||||||||||||||||||||||||||
| total_raw_size | (If total_size > 0) Cumulative size (fractional MB) on disk of the <bucket>/rawdata/ directories of all buckets in this index, excluding frozen.
| ||||||||||||||||||||||||||||||||||||||||
| total_size | Size (fractional MB) on disk of this index. |
[ Top ]
https://<host>:<mPort>/services/server/info
Authentication: Not required
Provides access to configuration information about the server.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate information about the server. | XML, JSON |
server/info method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| activeLicenseGroup | Type of Splunk Enterprise license:
|
| addOns | Names of active Splunk Enterprise add-ons. |
| build | The build number for this version of Splunk. |
| cpu_arch | The architecture type for the CPU hosting splunkd. |
| guid | Globally unique identifier for this server. |
| host | Server name. |
| host_fqdn | host fully-qualified domain name. |
| isFree | Indicates if this server is running Splunk Enterprise under a free license. |
| isTrial | Indicates if this server is using a trial license. |
| kv_store_status | App KV store availability. |
| license_labels | Labels associated with the license for this server. |
| licenseKeys | License key unique for each license. |
| licenseSignature | Hash signature for the license for this server. |
| licenseState | Specifies the status of the license, which can be either OK or Expired. |
| master_guid | Globally unique identifier for this server. |
| max_users | Maximum number of users. |
| mode | Indicates whether the server is a dedicated forwarder. Possible values are:
|
| numberOfCores | Server number of processor cores. Not useful if host is a VM guest. 0 if the respective result cannot be acquired for some reason. That reason is logged to splunkd.log. |
| os_build | Software build for this os_version. |
| os_name | Operating system. |
| os_version | Operating system version. |
| physicalMemoryMB | Server physical memory (MB). Same as mem field of server/status/resource-usage/hostwide. 0 if the respective result cannot be acquired for some reason. That reason is logged to splunkd.log. |
| product_type | Splunk Enterprise product type:
|
| rtsearch_enabled | Indicates if real-time search is enabled for this server. |
| server_roles | Zero or more of the following possible server roles:
See also: server/roles endpoint. |
| serverName | Server DNS domain name. |
| startup_time | Server platform start time, in seconds since January 1, 1970 (UNIX epoch). |
| version | os_build software version number. |
[ Top ]
https://<host>:<mPort>/services/server/introspection
Authentication: Not required
List system introspection artifacts.
Only the indexer artifact is a supported REST API endpoint.
| Method | Description | Formats |
|---|---|---|
| GET | List introspection resources. | XML, JSON |
server/introspection method detailNone
None
The endpoint returns a list of introspection artifacts.
[ Top ]
https://<host>:<mPort>/services/server/introspection/indexer
Authentication: Not required
Get the current indexer status and reason for a non-nominal status.
| Method | Description | Formats |
|---|---|---|
| GET | Get indexer information. | XML, JSON |
server/introspection/indexer method detailNone
| Name | Description |
|---|---|
| average_KBps | Average indexer throughput (kbps). |
| reason | Reason message associated with a non-normal status:
|
| status | Current indexer status:
|
[ Top ]
https://<host>:<mPort>/services/server/introspection/kvstore
Authentication: Not required
List app kvstore resources.
| Method | Description | Formats |
|---|---|---|
| GET | List app KV store resources. | XML, JSON |
server/introspection/kvstore method detailNone
None.
Returns links to each of the app /server/introspection/kvstore resources:
[ Top ]
https://<host>:<mPort>/services/server/introspection/kvstore/collectionstats
Authentication: Not required
Get storage statistics for a collection.
| Method | Description | Formats |
|---|---|---|
| GET | Get storage statistics for a collection. | XML, JSON |
server/introspection/kvstore/collectionstats method detailNone
| Name | Description |
|---|---|
| data | Returns the following JSON document:
|
[ Top ]
https://<host>:<mPort>/services/server/introspection/kvstore/replicasetstats
Authentication: Not required
Get the status of the replica set from the point of view of the current server.
| Method | Description | Formats |
|---|---|---|
| GET | Get the status of the replica set from the point of view of the current server. | XML, JSON |
server/introspection/kvstore/replicasetstats method detailNone
| Name | Description |
|---|---|
| data | Returns the following JSON document:
|
[ Top ]
https://<host>:<mPort>/services/server/introspection/kvstore/serverstatus
Authentication: Not required
Get an overview of the database process state.
Monitoring applications periodically run this command to get statistical information about the database instance.
| Method | Description | Formats |
|---|---|---|
| GET | Get an overview of the database process state. | XML, JSON |
server/introspection/kvstore/serverstatus method detailNone
The response data are platform-dependent.
| Name | Description |
|---|---|
| data | Returns the following CDATA items:
|
[ Top ]
https://<host>:<mPort>/services/server/introspection/search/saved
Authentication: Required
Access most recent scheduled search priority scores and score calculation adjustments.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate scheduled search details. | XML, JSON |
server/introspection/search/saved method detailNone
| Name | Description |
|---|---|
| final_score | Most recent calculated priority score, based on adjustments and original score. |
| name | Scheduled search name. |
| orig_score | A score based on a search's originally scheduled run time. |
| owner | Search scope or context owner. This could be a specific user or "nobody" for a search defined in an app or system-level scope. |
| priority_no | Most recent calculated priority number for this search. |
| real_time_adj | Real-time search priority adjustment. Real-time searches default to -80000 and continuous scheduled searches default to 0. This particular value is for internal purposes only and is subject to change. |
| runtime_adj | Calculated value based on average search runtime. |
| skipped_adj | Adjustment for number of times search has been skipped and search period. 0 means the search has not been skipped. |
| window_adj | Adjustment for remaining time in search run window. |
[ Top ]
https://<host>:<mPort>/services/server/status
Authentication: Not required
Access system status information.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate server/status endpoints. | XML, JSON |
server/status method detailNone
List of /server/status/ child endpoints.
Note: The /server/status/limits/ and /server/status/resource-usage/ endpoints are not listed. A bug report is submitted.
[ Top ]
https://<host>:<mPort>/services/server/status/dispatch-artifacts
Authentication: Not required
Access search job information.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | Get information about dispatched search jobs. | XML, JSON |
server/status/dispatch-artifacts method detailNone
| Name | Description |
|---|---|
| count_realtime | Jobs active in the immediate past observation period, not including historical jobs. |
| count_scheduled | Jobs active in the immediate past observation period, not including real-time jobs. |
| count_summary | Jobs active in the immediate past observation period, not including non-summary jobs. |
| top_apps | Top 15 apps in the past observation period, inapp:count key-value pair format. |
| top_named_searches | Top 15 named searches in the past observation period, in savedSearchName:count key-value pair format. |
| top_users | Top 15 users in the past observation period, in username:count key-value pair format, with count as the number of app contexts for the user. |
| total_count | Number of dispatched search jobs since start-up. |
[ Top ]
https://<host>:<mPort>/services/server/status/fishbucket
Authentication: Not required
Access information about the private BTree database.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | Get private Btree database information. | XML, JSON |
server/status/fishbucket method detailNone
| Name | Description |
|---|---|
| key_count | Number of file input records (keys) seen since start-up. |
| total_size | Total number of file input records (keys). |
[ Top ]
https://<host>:<mPort>/services/server/status/limits/search-concurrency
Authentication: Not required
Access search concurrency metrics.
| Method | Description | Formats |
|---|---|---|
| GET | Get search concurrency limits for a standalone Splunk Enterprise instance. | XML, JSON |
server/status/limits/search-concurrency method detailNone
| Name | Description |
|---|---|
| max_auto_summary_searches | Maximum number of auto summary searches. |
| max_hist_scheduled_searches | Maximum number of historical scheduled searches. |
| max_hist_searches | Maximum number of historical searches. |
| max_rt_scheduled_searches | Maximum number of scheduled searches. |
| max_rt_searches | Maximum number of real-time searches. |
[ Top ]
https://<host>:<mPort>/services/server/status/partitions-space
Authentication: Not required
Access disk utilization information for filesystems that have Splunk Enterprise disk objects, such as indexes, volumes, and logs. A filesystem can span multiple physical disk partitions.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:disk_objects] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate filesystem endpoints. | XML, JSON |
server/status/partitions-space method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| capacity | Disk capacity (MB). |
| free | Disk free space (MB). |
| fs_type | File system type.
Example values:
|
| mount_point | Absolute path of the directory where this partition is mounted. |
[ Top ]
https://<host>:<mPort>/services/server/status/resource-usage
Authentication: Not required
Learn the current levels of resource (CPU, RAM, VM, I/O, file handle) utilization for entire host, and per Splunk-related processes.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:resource_usage] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate server/status/resource-usage/ endpoints. | XML, JSON |
server/status/resource-usage method detailPagination and filtering parameters can be used with this method.
List of server/status/resource-usage/ endpoints.
[ Top ]
https://<host>:<mPort>/services/server/status/resource-usage/hostwide
Authentication: Not required
Access host-level, dynamic CPU utilization and paging information.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:resource_usage] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | Get host-level, dynamic CPU utilization and paging information. | XML, JSON |
server/status/resource-usage/hostwide method detailNone
| Name | Description |
|---|---|
| cpu_idle_pct | Percentage of time CPU is idle. Value reported as 100.0 on Windows except for Vista+ and XP/Win2003 English-only OSes. |
| cpu_system_pct | Percentage of time CPU is running in system mode. Missing from Windows except for Vista+ and XP/Win2003 English-only OSes. |
| cpu_user_pct | Percentage of time CPU is running in user mode. Missing from Windows except for Vista+ and XP/Win2003 English-only OSes. |
| forks | Cumulative number of forked processes since OS startup. Not available on Windows. |
| mem | Total physical memory available (bytes). |
| mem_used | Total physical memory used (bytes). The amount of actual physical memory minus the amount of physical memory currently available. This is the amount of physical memory that can be immediately reused without having to first write its contents to disk. On Unix, mem_used = total_phys_ram - (free_mem + buffer_mem + cached_mem) On Windows, mem_used = (memoryStatus.ullTotalPhys - memoryStatus.ullAvailPhys); See GlobalMemoryStatusEx function |
| normalized_load_avg_1min | Normalized load average of runnable_process_count across all cores (cumulative_load_avg / number_of_cores). This value is not reliable for a VM guest. |
| pg_paged_out | Cumulative VM page count paged since OS startup. Not available on Windows. |
| pg_swapped_out | Cumulative pages swapped out since OS startup. Not available on Windows. |
| runnable_process_count | Number of process running or in the runnable queue. Value reported as 1 on Windows except for Vista+ and XP/Win2003 English-only OSes. |
| swap | Amount of disk allocated to swap (fractional MB). |
| swap_used | Swap space currently in use (fractional MB). |
[ Top ]
https://<host>:<mPort>/services/server/status/resource-usage/splunk-processes
Authentication: Not required
Access operating system resource utilization information.
Note: At least one observation period must pass after Splunk Enterprise startup for valid endpoint data to be available. The observation period is defined in the $SPLUNK_HOME/etc/system/default/server.conf file:
[introspection:generator:resource_usage] collectionPeriodInSecs = 600
The default period is 10 seconds, but 10 minutes (600 seconds) on a Universal Forwarder.
| Method | Description | Formats |
|---|---|---|
| GET | Get process operating system resource utilization information. | XML, JSON |
server/status/resource-usage/splunk-processes method detailNone
| Name | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| args | Non-search process arguments. | ||||||||||||||||||
| cpu_system_time | Cumulative time this process has spent executing in kernel (incl. system calls). Extra field. | ||||||||||||||||||
| cpu_user_time | Cumulative time this process has spent executing in user space (incl. library functions). Extra field. | ||||||||||||||||||
| elapsed | Elapsed wall time, accurate to within the collection period. | ||||||||||||||||||
| fd_used | Number of currently open files used by this process. | ||||||||||||||||||
| mem_unshared_data_used | Amount of heap and stack used. Not available on Windows. Extra field. | ||||||||||||||||||
| mem_used | Current amount of resident physical memory used (KB). (Usually far less deceiving than virtual memory because operating systems can be liberal with virtual memory size but never with resident memory size.) On Windows, mem_used is obtained by reading the WorkingSetSize property returned by the GetProcessMemoryInfo() function (see GetProcessMemoryInfo function and PROCESS_MEMORY_COUNTERS structure). | ||||||||||||||||||
| page_faults | Number of major page faults. Extra field. | ||||||||||||||||||
| pct_cpu | Percentage of CPU used. Can spike briefly, so a single measurement is not reliable. Only interesting if >40% in several consecutive measurements. | ||||||||||||||||||
| pct_memory | Percentage of physical memory used hostwide ((mem_used/available_host_memory) * 100). | ||||||||||||||||||
| pid | Process ID. | ||||||||||||||||||
| ppid | Parent process ID. Not available for all processes. | ||||||||||||||||||
| process | Process name. The .exe suffix is stripped on Windows operating systems.
| ||||||||||||||||||
| read_mb | Amount of data read (MB), excluding cache reads. | ||||||||||||||||||
| search_props | Search properties map of the following key:value pairs:
| ||||||||||||||||||
| status | Status from the OS scheduler. Can be R (runnable or running), W (waiting), stopped, Z (zombie), or O (other). W includes voluntary sleep or blocking on I/O. O means status is knowable but does not fit into one of those categories. Not available on Windows. | ||||||||||||||||||
| t_count | Current number of threads. | ||||||||||||||||||
| written_mb | Amount of data written (MB), excluding canceled writes. |
[ Top ]
curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--volumes</title>
<id>https://localhost:8089/services/data/index-volumes</id>
<updated>2014-03-25T14:41:09-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>_splunk_summaries</title>
<id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
<updated>2014-03-25T14:41:09-07:00</updated>
<link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="max_size">infinite</s:key>
<s:key name="name">_splunk_summaries</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:passwd https://localhost:8089/services/data/index-volumes/_splunk_summaries
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--volumes</title>
<id>https://localhost:8089/services/data/index-volumes</id>
<updated>2014-03-27T14:35:26-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>_splunk_summaries</title>
<id>https://localhost:8089/services/data/index-volumes/_splunk_summaries</id>
<updated>2014-03-27T14:35:26-07:00</updated>
<link href="/services/data/index-volumes/_splunk_summaries" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/index-volumes/_splunk_summaries" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="eai:attributes">... elided ...</s:key>
<s:key name="max_size">infinite</s:key>
<s:key name="name">_splunk_summaries</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/indexes
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>indexes</title>
<id>https://localhost:8089/services/data/indexes</id>
<updated>2011-07-11T18:09:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/indexes/_new" rel="create"/>
<link href="/services/data/indexes/_reload" rel="_reload"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>_audit</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/indexes/_audit</id>
<updated>2011-07-11T18:09:22-07:00</updated>
<link href="/servicesNS/nobody/system/data/indexes/_audit" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/indexes/_audit" rel="list"/>
<link href="/servicesNS/nobody/system/data/indexes/_audit/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/indexes/_audit" rel="edit"/>
<link href="/servicesNS/nobody/system/data/indexes/_audit/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="blockSignSize">0</s:key>
<s:key name="blockSignatureDatabase">_blocksignature</s:key>
<s:key name="coldPath">$SPLUNK_DB/audit/colddb</s:key>
<s:key name="coldPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/colddb</s:key>
<s:key name="coldToFrozenDir"/>
<s:key name="coldToFrozenScript"/>
<s:key name="compressRawdata">1</s:key>
<s:key name="currentDBSizeMB">1</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
... eai:acl element elided ...
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath">$SPLUNK_DB/audit/db</s:key>
<s:key name="homePath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/db</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="isInternal">1</s:key>
<s:key name="lastInitTime">1310432962.424512</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">3</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxRunningProcessGroups">20</s:key>
<s:key name="maxTime">2011-07-10T22:20:53-0700</s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minTime">2011-07-10T14:33:00-0700</s:key>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="suppressBannerList"/>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="thawedPath">$SPLUNK_DB/audit/thaweddb</s:key>
<s:key name="thawedPath_expanded">/home/amrit/temp/curl/splunk/var/lib/splunk/audit/thaweddb</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="totalEventCount">230</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/indexes -d name=Shadow
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>indexes</title>
<id>https://localhost:8089/servicesNS/admin/search/data/indexes</id>
<updated>2011-05-13T13:09:27-07:00</updated>
<generator version="98392"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/indexes/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/indexes/_reload" rel="_reload"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>shadow</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
<updated>2011-05-13T13:09:27-07:00</updated>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="blockSignSize">0</s:key>
<s:key name="blockSignatureDatabase">_blocksignature</s:key>
<s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
<s:key name="coldPath_expanded">/Applications/splunk/var/lib/splunk/shadow/colddb</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="currentDBSizeMB">1</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="eai:acl">. . .</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
<s:key name="homePath_expanded">/Applications/splunk/var/lib/splunk/shadow/db</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="isInternal">0</s:key>
<s:key name="lastInitTime">1305317367.331268</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">3</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxTime"></s:key>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minTime"></s:key>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="suppressBannerList"></s:key>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
<s:key name="thawedPath_expanded">/Applications/splunk/var/lib/splunk/shadow/thaweddb</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="totalEventCount">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/indexes/shadow
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>indexes</title>
<id>https://localhost:8089/services/data/indexes</id>
<updated>2012-08-02T11:10:16-07:00</updated>
<generator build="131547" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/indexes/_new" rel="create"/>
<link href="/services/data/indexes/_reload" rel="_reload"/>
... opensearch elements elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>indexes</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
<updated>2011-08-01T12:25:34-07:00</updated>
<generator version="105103"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>shadow</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
<updated>2011-08-01T11:47:55-07:00</updated>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="blockSignSize">0</s:key>
<s:key name="blockSignatureDatabase">_blocksignature</s:key>
<s:key name="bloomfilterTotalSizeKB">0</s:key>
<s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
<s:key name="coldPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/colddb</s:key>
<s:key name="coldToFrozenDir"/>
<s:key name="coldToFrozenScript"/>
<s:key name="compressRawdata">1</s:key>
<s:key name="currentDBSizeMB">1</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="disabled">0</s:key>
...eai:acl element elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>assureUTF8</s:item>
<s:item>blockSignSize</s:item>
<s:item>coldToFrozenDir</s:item>
<s:item>coldToFrozenScript</s:item>
<s:item>compressRawdata</s:item>
<s:item>frozenTimePeriodInSecs</s:item>
<s:item>maxConcurrentOptimizes</s:item>
<s:item>maxDataSize</s:item>
<s:item>maxHotBuckets</s:item>
<s:item>maxHotIdleSecs</s:item>
<s:item>maxHotSpanSecs</s:item>
<s:item>maxMemMB</s:item>
<s:item>maxMetaEntries</s:item>
<s:item>maxRunningProcessGroups</s:item>
<s:item>maxTotalDataSizeMB</s:item>
<s:item>maxWarmDBCount</s:item>
<s:item>minRawFileSyncSecs</s:item>
<s:item>partialServiceMetaPeriod</s:item>
<s:item>quarantineFutureSecs</s:item>
<s:item>quarantinePastSecs</s:item>
<s:item>rawChunkSizeBytes</s:item>
<s:item>rotatePeriodInSecs</s:item>
<s:item>serviceMetaPeriod</s:item>
<s:item>suppressBannerList</s:item>
<s:item>syncMeta</s:item>
<s:item>throttleCheckPeriod</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
<s:key name="homePath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/db</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="isInternal">0</s:key>
<s:key name="lastInitTime">1312226552.102920</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">3</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxRunningProcessGroups">20</s:key>
<s:key name="maxTime"/>
<s:key name="maxTotalDataSizeMB">500000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minTime"/>
<s:key name="numBloomfilters">0</s:key>
<s:key name="numHotBuckets">0</s:key>
<s:key name="numWarmBuckets">0</s:key>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="suppressBannerList"/>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
<s:key name="thawedPath_expanded">/home/amrit/bin/splunk-current/var/lib/splunk/shadow/thaweddb</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="totalEventCount">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass -d maxTotalDataSizeMB=400000 https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>indexes</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/indexes</id>
<updated>2011-05-16T12:20:06-07:00</updated>
<generator version="98392"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/indexes/_new" rel="create"/>
<link href="/servicesNS/nobody/search/data/indexes/_reload" rel="_reload"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>shadow</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/indexes/shadow</id>
<updated>2011-05-16T12:18:56-07:00</updated>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="list"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/indexes/shadow" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="assureUTF8">0</s:key>
<s:key name="blockSignSize">0</s:key>
<s:key name="blockSignatureDatabase">_blocksignature</s:key>
<s:key name="coldPath">$SPLUNK_DB/shadow/colddb</s:key>
<s:key name="coldPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/colddb</s:key>
<s:key name="coldToFrozenDir"></s:key>
<s:key name="coldToFrozenScript"></s:key>
<s:key name="compressRawdata">1</s:key>
<s:key name="currentDBSizeMB">1</s:key>
<s:key name="defaultDatabase">main</s:key>
<s:key name="eai:acl">. . .</s:key>
<s:key name="enableRealtimeSearch">1</s:key>
<s:key name="frozenTimePeriodInSecs">188697600</s:key>
<s:key name="homePath">$SPLUNK_DB/shadow/db</s:key>
<s:key name="homePath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/db</s:key>
<s:key name="indexThreads">auto</s:key>
<s:key name="isInternal">0</s:key>
<s:key name="lastInitTime">1305573611.118477</s:key>
<s:key name="maxConcurrentOptimizes">3</s:key>
<s:key name="maxDataSize">auto</s:key>
<s:key name="maxHotBuckets">3</s:key>
<s:key name="maxHotIdleSecs">0</s:key>
<s:key name="maxHotSpanSecs">7776000</s:key>
<s:key name="maxMemMB">5</s:key>
<s:key name="maxMetaEntries">1000000</s:key>
<s:key name="maxTime"></s:key>
<s:key name="maxTotalDataSizeMB">400000</s:key>
<s:key name="maxWarmDBCount">300</s:key>
<s:key name="memPoolMB">auto</s:key>
<s:key name="minRawFileSyncSecs">disable</s:key>
<s:key name="minTime"></s:key>
<s:key name="partialServiceMetaPeriod">0</s:key>
<s:key name="quarantineFutureSecs">2592000</s:key>
<s:key name="quarantinePastSecs">77760000</s:key>
<s:key name="rawChunkSizeBytes">131072</s:key>
<s:key name="rotatePeriodInSecs">60</s:key>
<s:key name="serviceMetaPeriod">25</s:key>
<s:key name="suppressBannerList"></s:key>
<s:key name="sync">0</s:key>
<s:key name="syncMeta">1</s:key>
<s:key name="thawedPath">$SPLUNK_DB/shadow/thaweddb</s:key>
<s:key name="thawedPath_expanded">/Applications/splunk4.3/var/lib/splunk/shadow/thaweddb</s:key>
<s:key name="throttleCheckPeriod">15</s:key>
<s:key name="totalEventCount">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--indexes</title>
<id>https://localhost:8089/services/data/indexes-extended</id>
<updated>2014-03-31T12:41:09-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>_audit</title>
<id>https://localhost:8089/services/data/indexes-extended/_audit</id>
<updated>2014-03-31T12:41:09-07:00</updated>
<link href="/services/data/indexes-extended/_audit" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/indexes-extended/_audit" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="bucket_dirs">
<s:dict>
<s:key name="cold">
<s:dict>
<s:key name="bucket_count">0</s:key>
<s:key name="size">0.000</s:key>
</s:dict>
</s:key>
<s:key name="home">
<s:dict>
<s:key name="event_count">6169</s:key>
<s:key name="event_max_time">1395246673</s:key>
<s:key name="event_min_time">1394732683</s:key>
<s:key name="hot_bucket_count">1</s:key>
<s:key name="size">1.000</s:key>
<s:key name="warm_bucket_count">5</s:key>
</s:dict>
</s:key>
<s:key name="thawed">
<s:dict>
<s:key name="bucket_count">0</s:key>
<s:key name="size">0.000</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="name">_audit</s:key>
<s:key name="total_bucket_count">6</s:key>
<s:key name="total_event_count">18096</s:key>
<s:key name="total_raw_size">1.000</s:key>
<s:key name="total_size">1.000</s:key>
</s:dict>
</content>
</entry>
.
.
.
elided
.
.
.
<entry>
<title>summary</title>
<id>https://localhost:8089/services/data/indexes-extended/summary</id>
<updated>2014-03-31T12:41:09-07:00</updated>
<link href="/services/data/indexes-extended/summary" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/indexes-extended/summary" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="name">summary</s:key>
<s:key name="total_size">0.000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:passwd https://localhost:8089/services/data/indexes-extended/history
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--indexes</title>
<id>https://localhost:8089/services/data/indexes-extended</id>
<updated>2014-03-31T12:42:29-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>_internal</title>
<id>https://localhost:8089/services/data/indexes-extended/_internal</id>
<updated>2014-03-31T12:42:29-07:00</updated>
<link href="/services/data/indexes-extended/_internal" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/indexes-extended/_internal" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="bucket_dirs">
<s:dict>
<s:key name="cold">
<s:dict>
<s:key name="bucket_count">0</s:key>
<s:key name="size">0.000</s:key>
</s:dict>
</s:key>
<s:key name="home">
<s:dict>
<s:key name="event_count">180492</s:key>
<s:key name="event_max_time">1395246673</s:key>
<s:key name="event_min_time">1392167582</s:key>
<s:key name="hot_bucket_count">3</s:key>
<s:key name="size">9.000</s:key>
<s:key name="warm_bucket_count">6</s:key>
</s:dict>
</s:key>
<s:key name="thawed">
<s:dict>
<s:key name="bucket_count">0</s:key>
<s:key name="size">0.000</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="eai:attributes">
... elided ...
</s:key>
<s:key name="name">_internal</s:key>
<s:key name="total_bucket_count">9</s:key>
<s:key name="total_event_count">556322</s:key>
<s:key name="total_raw_size">28.000</s:key>
<s:key name="total_size">22.000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/info
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>server-info</title>
<id>https://localhost:8089/services/server/info</id>
<updated>2014-08-04T15:48:10-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>server-info</title>
<id>https://localhost:8089/services/server/info/server-info</id>
<updated>2014-08-04T15:48:10-07:00</updated>
<link href="/services/server/info/server-info" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/info/server-info" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="activeLicenseGroup">Enterprise</s:key>
<s:key name="addOns">
<s:dict>
<s:key name="hadoop">
<s:dict>
<s:key name="parameters">
<s:dict>
<s:key name="erp_type">report</s:key>
<s:key name="maxNodes">10</s:key>
</s:dict>
</s:key>
<s:key name="type">external_results_provider</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="build">221120</s:key>
<s:key name="cpu_arch">x64</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
<s:key name="guid">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
<s:key name="host">myHostName</s:key>
<s:key name="host_fqdn">myHostName</s:key>
<s:key name="isFree">0</s:key>
<s:key name="isTrial">0</s:key>
<s:key name="kv_store_status">Could not find task executor for type 'kv_store_status'</s:key>
<s:key name="licenseKeys">
<s:list>
<s:item>31BB75AA379A50F9225471053337B6E438C4C7A1F42A905AB93AF16C9A12124E</s:item>
</s:list>
</s:key>
<s:key name="licenseSignature">2f121cff440e115470154cdf92e208b5</s:key>
<s:key name="licenseState">OK</s:key>
<s:key name="license_labels">
<s:list>
<s:item>Splunk xyz License</s:item>
</s:list>
</s:key>
<s:key name="master_guid">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
<s:key name="max_users">4294967295</s:key>
<s:key name="mode">normal</s:key>
<s:key name="numberOfCores">2</s:key>
<s:key name="os_build">6</s:key>
<s:key name="os_name">Windows</s:key>
<s:key name="os_version">1</s:key>
<s:key name="physicalMemoryMB">3982</s:key>
<s:key name="product_type">splunk</s:key>
<s:key name="rtsearch_enabled">1</s:key>
<s:key name="serverName">myHostName</s:key>
<s:key name="server_roles">
<s:dict>
<s:key name="indexer"/>
<s:key name="license_master"/>
<s:key name="management_console"/>
</s:dict>
</s:key>
<s:key name="startup_time">1407182814</s:key>
<s:key name="version">6.2</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/introspection
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title></title>
<id>https://localhost:8089/services/server/introspection</id>
<updated>2014-08-04T11:40:23-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<s:messages/>
<entry>
<title>indexer</title>
<id>https://localhost:8089/services/server/introspection/indexer</id>
<updated>2014-08-04T11:40:23-07:00</updated>
<link href="/services/server/introspection/indexer" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/indexer" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>kvstore</title>
<id>https://localhost:8089/services/server/introspection/kvstore</id>
<updated>2014-08-04T11:40:23-07:00</updated>
<link href="/services/server/introspection/kvstore" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore" rel="list"/>
<link href="/services/server/introspection/kvstore/_reload" rel="_reload"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>pipelines</title>
<id>https://localhost:8089/services/server/introspection/pipelines</id>
<updated>2014-08-04T11:40:23-07:00</updated>
<link href="/services/server/introspection/pipelines" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/pipelines" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>processors</title>
<id>https://localhost:8089/services/server/introspection/processors</id>
<updated>2014-08-04T11:40:23-07:00</updated>
<link href="/services/server/introspection/processors" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/processors" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>queues</title>
<id>https://localhost:8089/services/server/introspection/queues</id>
<updated>2014-08-04T11:40:23-07:00</updated>
<link href="/services/server/introspection/queues" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/queues" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/indexer
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection-indexer</title>
<id>https://localhost:8089/services/server/introspection/indexer</id>
<updated>2014-08-04T11:43:04-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>indexer</title>
<id>https://localhost:8089/services/server/introspection/indexer/indexer</id>
<updated>2014-08-04T11:43:04-07:00</updated>
<link href="/services/server/introspection/indexer/indexer" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/indexer/indexer" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="average_KBps">0.517667</s:key>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="reason">.</s:key>
<s:key name="status">nominal</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title></title>
<id>https://localhost:8089/services/server/introspection/kvstore</id>
<updated>2014-08-20T14:06:12-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<s:messages/>
<entry>
<title>collectionstats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id>
<updated>2014-08-20T14:06:12-07:00</updated>
<link href="/services/server/introspection/kvstore/collectionstats" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore/collectionstats" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>replicasetstats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats</id>
<updated>2014-08-20T14:06:12-07:00</updated>
<link href="/services/server/introspection/kvstore/replicasetstats" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore/replicasetstats" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>serverstatus</title>
<id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id>
<updated>2014-08-20T14:06:12-07:00</updated>
<link href="/services/server/introspection/kvstore/serverstatus" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore/serverstatus" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/collectionstats
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>kvstore-collectionstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author>
<name>Splunk</name>
</author> ... opensearch nodes elided ... <s:messages/> <entry>
<title>collectionStats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/collectionstats/collectionStats</id>
<updated>2014-08-20T14:31:42-07:00</updated>
<link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore/collectionstats/collectionStats" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="data">
<s:list>
<s:item>
{"ns":"search.kvstoredemo",
"count":0,
"size":0,
"storageSize":8192,
"numExtents":1,
"nindexes":2,
"lastExtentSize":8192,
"paddingFactor":1,
"systemFlags":1,
"userFlags":1,
"totalIndexSize":16352,
"indexSizes":{"_id_":8176,"_UserAndKeyUniqueIndex":8176},
"ok":1}
</s:item>
</s:list>
</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
</s:dict>
</content>
</entry> </feed>
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/replicasetstats
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>kvstore-collectionstats</title> <id>https://localhost:8089/services/server/introspection/kvstore/collectionstats</id> <updated>2014-08-20T14:31:42-07:00</updated> <generator build="226873" version="6.2"/> <author>
<name>Splunk</name>
</author>
... opensearch nodes elided ... <s:messages/>
<entry>
<title>replicasetstats</title>
<id>https://localhost:8089/services/server/introspection/kvstore/replicasetstats/replicasetstats</id>
<updated>2014-08-20T14:31:42-07:00</updated>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore/replicasetstats/replicasetstats" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="data">
<s:list>
<s:item>
{
"replSetStats": {
"set": "splunkrs",
"date": 1412203576000,
"myState": 2,
"syncingTo": "54.xxx.xxx.xxx:8191",
"members": [
{
"_id": 2,
"name": "54.xxx.xxx.xxx:8191",
"health": 1,
"state": 2,
"stateStr": "SECONDARY",
"uptime": 102409,
"optime": {
"t": 1412101153,
"i": 1
},
"optimeDate": 1412101153000,
"lastHeartbeat": 1412203575000,
"lastHeartbeatRecv": 1412203575000,
"pingMs": 1,
"syncingTo": "54.xxx.xxx.xxx:8191"
},
{
"_id": 3,
"name": "54.xxx.xxx.yyy:8191",
"health": 1,
"state": 2,
"stateStr": "SECONDARY",
"uptime": 102409,
"optime": {
"t": 1412101153,
"i": 1
},
"optimeDate": 1412101153000,
"lastHeartbeat": 1412203576000,
"lastHeartbeatRecv": 1412203575000,
"pingMs": 1,
"syncingTo": "54.xxx.xxx.yyy:8191"
},
.
.
.
elided
.
.
.
{
"_id": 17,
"name": "54.xxx.xxx.zzz:8191",
"health": 1,
"state": 2,
"stateStr": "SECONDARY",
"uptime": 102409,
"optime": {
"t": 1412101153,
"i": 1
},
"optimeDate": 1412101153000,
"lastHeartbeat": 1412203574000,
"lastHeartbeatRecv": 1412203575000,
"pingMs": 1,
"syncingTo": "54.xxx.xxx.zzz:8191"
}
],
"ok": 1
},
"oplogInfo": {
"start": 1412022009000,
"end": 1412101153000,
"collectionStats": {
"ns": "local.oplog.rs",
"count": 631,
"size": 166964,
"avgObjSize": 264,
"storageSize": 1048580080,
"numExtents": 3,
"nindexes": 0,
"lastExtentSize": 4096,
"paddingFactor": 1,
"systemFlags": 0,
"userFlags": 0,
"totalIndexSize": 0,
"indexSizes": {},
"capped": true,
"max": 9223372036854775808.000000,
"ok": 1
},
"sources": {}
}
}
</s:item>
</s:list>
</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
</s:dict>
</content>
</entry> </feed>
curl -k -u admin:changeme https://localhost:8089/services/server/introspection/kvstore/serverstatus
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>kvstore-serverstatus</title> <id>https://localhost:8089/services/server/introspection/kvstore/serverstatus</id> <updated>2014-08-20T14:26:42-07:00</updated> <generator build="226873" version="6.2"/> <author>
<name>Splunk</name>
</author> ... opensearch nodes elided ... <s:messages/> <entry>
<title>serverStatus</title>
<id>https://localhost:8089/services/server/introspection/kvstore/serverstatus/serverStatus</id>
<updated>2014-08-20T14:26:42-07:00</updated>
<link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/kvstore/serverstatus/serverStatus" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="data">
<![CDATA[{
"host":"localhost:8089", "version":"2.6.3", "pid":23009, "uptime":19049, "uptimeMillis":19049447, "uptimeEstimate":18295, "localTime":{"$date":1408570002615}, "asserts":{ "regular":0, "warning":0, "msg":0, "user":0, "rollovers":0}, "backgroundFlushing":{ "flushes":317, "total_ms":11523, "average_ms":36.350158, "last_ms":0, "last_finished":{"$date":1408569973325}}, "connections":{ "current":7, "available":3269, "totalCreated":7}, "cursors":{ "note":"deprecated, use server status metrics", "clientCursors_size":0, "totalOpen":0, "pinned":0, "totalNoTimeout":0, "timedOut":0}, "dur":{ "commits":30, "journaledMB":0, "writeToDataFilesMB":0, "compression":0, "commitsInWriteLock":0, "earlyCommits":0, "timeMs":{ "dt":3072, "prepLogBuffer":0, "writeToJournal":0, "writeToDataFiles":0, "remapPrivateView":0}}, "extra_info":{ "note":"fields vary by platform", "heap_usage_bytes":67624592, "page_faults":3}, "globalLock":{ "totalTime":19049447000, "lockTime":1491098, "currentQueue":{ "total":0, "readers":0, "writers":0}, "activeClients":{ "total":0, "readers":0, "writers":0}}, "indexCounters":{ "accesses":2, "hits":2, "misses":0, "resets":0, "missRatio":0}, "locks":{ ".":{ "timeLockedMicros":{ "R":2926340, "W":1491098}, "timeAcquiringMicros":{ "R":1458997, "W":342703}}, "admin":{ "timeLockedMicros":{ "r":103638, "w":0}, "timeAcquiringMicros":{ "r":13202, "w":0}}, "local":{ "timeLockedMicros":{ "r":426518, "w":237}, "timeAcquiringMicros":{ "r":185505, "w":12}}, "search.kvstoredemo":{ "timeLockedMicros":{ "r":2832888, "w":292}, "timeAcquiringMicros":{ "r":1310820, "w":17}}}, "network":{ "bytesIn":1133611, "bytesOut":11628162, "numRequests":12070}, "opcounters":{ "insert":1, "query":4760, "update":0, "delete":0, "getmore":0, "command":8264}, "opcountersRepl":{ "insert":0, "query":0, "update":0, "delete":0, "getmore":0, "command":0}, "recordStats":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0, "admin":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "local":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}, "search.kvstoredemo":{ "accessesNotInMemory":0, "pageFaultExceptionsThrown":0}}, "writeBacksQueued":false, "mem":{ "bits":64, "resident":58, "virtual":325, "supported":true, "mapped":64, "mappedWithJournal":128}, "metrics":{ "cursor":{ "timedOut":0, "open":{ "noTimeout":0, "pinned":0, "total":0}}, "document":{ "deleted":0, "inserted":1, "returned":2, "updated":0}, "getLastError":{ "wtime":{ "num":0, "totalMillis":0}, "wtimeouts":0}, "operation":{ "fastmod":0, "idhack":0, "scanAndOrder":0}, "queryExecutor":{ "scanned":0, "scannedObjects":0}, "record":{"moves":0}, "repl":{ "apply":{ "batches":{ "num":0, "totalMillis":0}, "ops":0}, "buffer":{ "count":0, "maxSizeBytes":268435456, "sizeBytes":0}, "network":{ "bytes":0, "getmores":{ "num":0, "totalMillis":0}, "ops":0, "readersCreated":0}, "preload":{ "docs":{ "num":0, "totalMillis":0}, "indexes":{ "num":0, "totalMillis":0}}}, "storage":{ "freelist":{ "search":{ "bucketExhausted":0, "requests":0, "scanned":0}}}, "ttl":{ "deletedDocuments":0, "passes":317}}, "ok":1}]]>
</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
</s:dict>
</content>
</entry> </feed>
curl -k -u admin:pass https://localhost:8089/services/server/introspection/search/saved
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection-savedsearches</title>
<id>https://localhost:8089/services/server/introspection/search/saved</id>
<updated>2015-06-03T16:41:21-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/server/introspection/search/saved/_acl" rel="_acl"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>admin;search;search_1</title>
<id>https://localhost:8089/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1</id>
<updated>2015-06-03T16:41:21-07:00</updated>
<link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1â rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/search/saved/admin%3Bsearch%3Bsearch_1â rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="final_score">1433294868</s:key>
<s:key name="name">search_1</s:key>
<s:key name="orig_score">1433374860</s:key>
<s:key name="owner">admin</s:key>
<s:key name="priority_no">1</s:key>
<s:key name="real_time_adj">-80000</s:key>
<s:key name="runtime_adj">8</s:key>
<s:key name="skipped_adj">0</s:key>
<s:key name="window_adj">0</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>nobody;search;Errors in the last hour</title>
<id>https://localhost:8089/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour</id>
<updated>2015-06-03T16:41:21-07:00</updated>
<link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/introspection/search/saved/nobody%3Bsearch%3BErrors%20in%20the%20last%20hour" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="final_score">1433294980</s:key>
<s:key name="name">Errors in the last hour</s:key>
<s:key name="orig_score">1433374860</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="priority_no">2</s:key>
<s:key name="real_time_adj">-80000</s:key>
<s:key name="runtime_adj">1</s:key>
<s:key name="skipped_adj">0</s:key>
<s:key name="window_adj">119</s:key>
</s:dict>
</content>
</entry>
</feed>
</div>
curl -k -u admin:changeme https://localhost:8089/services/server/status
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title></title>
<id>https://localhost:8089/services/server/status</id>
<updated>2014-03-25T13:52:59-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<s:messages/>
<entry>
<title>dispatch-artifacts</title>
<id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
<updated>2014-03-25T13:52:59-07:00</updated>
<link href="/services/server/status/dispatch-artifacts" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/dispatch-artifacts" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>fishbucket</title>
<id>https://localhost:8089/services/server/status/fishbucket</id>
<updated>2014-03-25T13:52:59-07:00</updated>
<link href="/services/server/status/fishbucket" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/fishbucket" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>partitions-space</title>
<id>https://localhost:8089/services/server/status/partitions-space</id>
<updated>2014-03-25T13:52:59-07:00</updated>
<link href="/services/server/status/partitions-space" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/partitions-space" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/dispatch-artifacts
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--search-dispatch-artifacts</title>
<id>https://localhost:8089/services/server/status/dispatch-artifacts</id>
<updated>2014-03-25T11:10:33-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>result</title>
<id>https://localhost:8089/services/server/status/dispatch-artifacts/result</id>
<updated>2014-03-25T11:10:33-07:00</updated>
<link href="/services/server/status/dispatch-artifacts/result" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/dispatch-artifacts/result" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="count_realtime">0</s:key>
<s:key name="count_scheduled">0</s:key>
<s:key name="count_summary">0</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="top_apps"/>
<s:key name="top_named_searches"/>
<s:key name="top_users"/>
<s:key name="total_count">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/fishbucket
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--fishbucket</title>
<id>https://localhost:8089/services/server/status/fishbucket</id>
<updated>2014-03-25T11:31:10-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>result</title>
<id>https://localhost:8089/services/server/status/fishbucket/result</id>
<updated>2014-03-25T11:31:10-07:00</updated>
<link href="/services/server/status/fishbucket/result" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/fishbucket/result" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="key_count">0</s:key>
<s:key name="total_size">0.000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/limits/search-concurrency
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>server-status-limits-concurrency</title>
<id>https://localhost:8089/services/server/status/limits/search-concurrency</id>
<updated>2014-03-25T11:40:16-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>search-concurrency</title>
<id>https://localhost:8089/services/server/status/limits/search-concurrency/search-concurrency</id>
<updated>2014-03-25T11:40:16-07:00</updated>
<link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/limits/search-concurrency/search-concurrency" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="max_auto_summary_searches">2</s:key>
<s:key name="max_hist_scheduled_searches">5</s:key>
<s:key name="max_hist_searches">10</s:key>
<s:key name="max_rt_scheduled_searches">5</s:key>
<s:key name="max_rt_searches">10</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/partitions-space
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--disk-objects--partitions-space</title>
<id>https://localhost:8089/services/server/status/partitions-space</id>
<updated>2014-03-25T11:43:39-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>0</title>
<id>https://localhost:8089/services/server/status/partitions-space/0</id>
<updated>2014-03-25T11:43:39-07:00</updated>
<link href="/services/server/status/partitions-space/0" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/partitions-space/0" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="capacity">104901.000</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="free">7774.000</s:key>
<s:key name="fs_type">ntfs</s:key>
<s:key name="mount_point">C:\</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title></title>
<id>https://localhost:8089/services/server/status/resource-usage</id>
<updated>2014-03-25T11:53:26-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<s:messages/>
<entry>
<title>hostwide</title>
<id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
<updated>2014-03-25T11:53:26-07:00</updated>
<link href="/services/server/status/resource-usage/hostwide" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/resource-usage/hostwide" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
<entry>
<title>splunk-processes</title>
<id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
<updated>2014-03-25T11:53:26-07:00</updated>
<link href="/services/server/status/resource-usage/splunk-processes" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/resource-usage/splunk-processes" rel="list"/>
<content type="text/xml">
<s:dict/>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/hostwide
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--resource-usage--hostwide</title>
<id>https://localhost:8089/services/server/status/resource-usage/hostwide</id>
<updated>2014-03-25T11:45:29-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>result</title>
<id>https://localhost:8089/services/server/status/resource-usage/hostwide/result</id>
<updated>2014-03-25T11:45:29-07:00</updated>
<link href="/services/server/status/resource-usage/hostwide/result" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/resource-usage/hostwide/result" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="cpu_idle_pct">90.95</s:key>
<s:key name="cpu_system_pct">4.84</s:key>
<s:key name="cpu_user_pct">4.21</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="mem">3982.234</s:key>
<s:key name="mem_used">3193.137</s:key>
<s:key name="runnable_process_count">1</s:key>
<s:key name="swap">7962.652</s:key>
<s:key name="swap_used">3244.652</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/status/resource-usage/splunk-processes/0
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>introspection--resource-usage--splunk-processes</title>
<id>https://localhost:8089/services/server/status/resource-usage/splunk-processes</id>
<updated>2014-03-26T13:35:52-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>0</title>
<id>https://localhost:8089/services/server/status/resource-usage/splunk-processes/0</id>
<updated>2014-03-26T13:35:52-07:00</updated>
<link href="/services/server/status/resource-usage/splunk-processes/0" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/status/resource-usage/splunk-processes/0" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="args"> instrument-resource-usage</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="elapsed">619262.3610</s:key>
<s:key name="mem_used">15.762</s:key>
<s:key name="page_faults">12001684</s:key>
<s:key name="pct_memory">0.40</s:key>
<s:key name="pid">4256</s:key>
<s:key name="ppid">2476</s:key>
<s:key name="process">splunkd</s:key>
<s:key name="t_count">4</s:key>
</s:dict>
</content>
</entry>
</feed>Knowledge type endpoints,
https://<host>:<mPort>/services/data/lookup-table-files
Authentication: Not required
Provides access to lookup table files.
| Method | Description | Formats |
|---|---|---|
| GET | List lookup table files. | XML, JSON |
| POST | Create a lookup table file by moving a file from the upload staging area into $SPLUNK_HOME. | XML, JSON |
data/lookup-table-files method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk Enterprise user who created the lookup table. |
data/lookup-table-files method detail| Name | Type | Default | Description |
|---|---|---|---|
| eai:data required | String | Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor. | |
| name required | String | The lookup table filename. |
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk Enterprise user who created the lookup table. |
[ Top ]
https://<host>:<mPort>/services/data/lookup-table-files/{name}
Authentication: Not required
Manage the {name} lookup table file.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the named lookup table file. | XML, JSON |
| GET | List a single lookup table file. | XML, JSON |
| POST | Modify a lookup table file by replacing it with a file from the upload staging area. | XML, JSON |
data/lookup-table-files/{name} method detailNone
None
data/lookup-table-files/{name} method detailNone
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:attributes | Field control information. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk Enterprise user who created the lookup table. |
data/lookup-table-files/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| eai:data required | String | Move a lookup table file from the given path into $SPLUNK_HOME. This path must have the lookup staging area as an ancestor. |
| Name | Description |
|---|---|
| eai:appName | The app for which the lookup table applies. |
| eai:data | The source path for the lookup staging area. The lookup table file is moved from here into $SPLUNK_HOME. |
| eai:userName | The Splunk Enterprise user who created the lookup table. |
[ Top ]
https://<host>:<mPort>/services/data/props/calcfields
Authentication: Not required
Provides access to calculated fields, which are eval expressions in props.conf.
| Method | Description | Formats |
|---|---|---|
| GET | Returns information on calculated fields for this instance of Splunk. | XML, JSON |
| POST | Create an eval expression defining a calculated field in props.conf. | XML, JSON |
data/props/calcfields method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
See Define calculated fields in the Splunk Knowledge Manager manual for more information.
data/props/calcfields method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The name of the calculated field. Do not specify the "EVAL-" prefix for the field.
When Splunk Enterprise writes the calculated field to props.conf, it adds the "EVAL-" prefix. | |
| stanza required | String | The name of the stanza in props.conf for the calculated field.
The name can be any of the following:
| |
| value required | String | The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details. |
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
See Define calculated fields in the Splunk Knowledge Manager manual for more information.
[ Top ]
https://<host>:<mPort>/services/data/props/calcfields/{name}
Authentication: Not required
Manage the {name} calculated field.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes the named calculated field. | XML, JSON |
| GET | Returns details about the named calculated field. | XML, JSON |
| POST | Update the named calculated field. | XML, JSON |
data/props/calcfields/{name} method detailNone
None
Use URL-encoding to ensure that Splunk Enterprise interprets the name of the calculated field correctly.
data/props/calcfields/{name} method detailNone
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
data/props/calcfields/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| value | String | The eval statement, which can be evaluated to any value type, including multivals, boolean, or null.
See Create a calculated field by editing props.conf in the Splunk Knowledge Manager manual for details. |
| Name | Description |
|---|---|
| attribute | The name of the calculated field, which includes the "EVAL-" prefix. |
| field.name | The name of the field which is being calculated with an EVAL expression. |
| stanza | The name of the stanza in props.conf that defines the calculated field. |
| type | The type of the calculated field.
This is always EVAL. |
| value | The EVAL statement for the calculated field. |
[ Top ]
https://<host>:<mPort>/services/data/props/extractions
Authentication: Not required
Provides access to search-time field extractions in props.conf.
| Method | Description | Formats |
|---|---|---|
| GET | List field extractions. | XML, JSON |
| POST | Create a new field extraction. | XML, JSON |
data/props/extractions method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field extraction applies.
for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
data/props/extractions method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The user-specified part of the field extraction name. The full name of the field extraction includes this identifier as a suffix. | |
| stanza required | String | The props.conf stanza to which this field extraction applies, e.g. the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. | |
| type required | Enum | Valid values: (REPORT | EXTRACT)
An EXTRACT-type field extraction is defined with an "inline" regular expression. A REPORT-type field extraction refers to a transforms.conf stanza. | |
| value required | String | If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply. |
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | Specifies the name of the stanza for the field extraction. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
https://<host>:<mPort>/services/data/props/extractions/{name}
Authentication: Not required
Manage the {name} field extraction.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the named field extraction. | XML, JSON |
| GET | List a single field extraction. | XML, JSON |
| POST | Modify the named field extraction. | XML, JSON |
data/props/extractions/{name} method detailNone
None
data/props/extractions/{name} method detailNone
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field extraction applies.
for example, the sourcetype or source that triggers this field extraction. The full name of the field extraction includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
data/props/extractions/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| value required | String | If this is an EXTRACT-type field extraction, specify a regular expression with named capture groups that define the desired fields. If this is a REPORT-type field extraction, specify a comma- or space-delimited list of transforms.conf stanza names that define the field transformations to apply. |
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | Specifies the name of the stanza for the field extraction. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
https://<host>:<mPort>/services/data/props/fieldaliases
Authentication: Not required
Provides access to field aliases in props.conf.
| Method | Description | Formats |
|---|---|---|
| GET | List field aliases. | XML, JSON |
| POST | Create a new field alias. | XML, JSON |
data/props/fieldaliases method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
data/props/fieldaliases method detail| Name | Type | Default | Description |
|---|---|---|---|
| alias.* | String | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". | |
| name required | String | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. | |
| stanza required | String | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| Name | Description |
|---|---|
| alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform. |
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
https://<host>:<mPort>/services/data/props/fieldaliases/{name}
Authentication: Not required
Manage the {name} field alias.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the named field alias. | XML, JSON |
| GET | List a single field alias. | XML, JSON |
| POST | Modify the named field alias. | XML, JSON |
data/props/fieldaliases/{name} method detailNone
None
data/props/fieldaliases/{name} method detailNone
| Name | Description |
|---|---|
| alias.* | The user-specified part of the field alias name. The full name of the field alias includes this identifier as a suffix. |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform.
|
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
data/props/fieldaliases/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| alias.* | String | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". |
| Name | Description |
|---|---|
| alias.* | The alias for a given field. For example, supply a value of "bar" for an argument "alias.foo" to alias "foo" to "bar". |
| attribute | Specifies the field extraction configuration.
For example, REPORT-<name> or EXTRACT-<name>. |
| stanza | The props.conf stanza to which this field alias applies, e.g. the sourcetype or source that causes this field alias to be applied. The full name of the field alias includes this stanza name as a prefix. |
| type | Specifies the field extraction type, which can be either inline or uses transform. |
| value | If this is an EXTRACT-type field extraction, a regular expression with named capture groups that define the desired fields.
If this is a REPORT-type field extraction, a list of transforms.conf stanza names that define the field transformations to apply. |
[ Top ]
https://<host>:<mPort>/services/data/props/lookups
Authentication: Not required
Provides access to automatic lookups in props.conf.
| Method | Description | Formats |
|---|---|---|
| GET | List automatic lookups. | XML, JSON |
| POST | Create a new automatic lookup. | XML, JSON |
data/props/lookups method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is always |
| value | The transform stanza with the value for the lookup. |
data/props/lookups method detail| Name | Type | Default | Description |
|---|---|---|---|
| lookup.field.input.* | String | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. | |
| lookup.field.output.* | String | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. | |
| name required | String | The user-specified part of the automatic lookup name. The full name of the automatic lookup includes this identifier as a suffix. | |
| overwrite required | Boolean | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. | |
| stanza required | String | The props.conf stanza to which this automatic lookup applies, e.g. the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. | |
| transform required | String | The transforms.conf stanza that defines the lookup to apply. |
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| lookup.field.input.* | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. |
| lookup.field.output.* | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is alwqys |
| value | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
[ Top ]
https://<host>:<mPort>/services/data/props/lookups/{name}
Authentication: Not required
Manage the {name} automatic lookup.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the named automatic lookup. | XML, JSON |
| GET | List a single automatic lookup. | XML, JSON |
| POST | Modify the named automatic lookup. | XML, JSON |
data/props/lookups/{name} method detailNone
None
data/props/lookups/{name} method detailNone
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is always |
| value | The transform stanza with the value for the lookup. |
data/props/lookups/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| lookup.field.input.* | String | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. | |
| lookup.field.output.* | String | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. | |
| overwrite required | Boolean | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. | |
| transform required | String | The transforms.conf stanza that defines the lookup to apply. |
| Name | Description |
|---|---|
| attribute | Specifies the field extraction configuration.
For example, LOOKUP-my_lookup. |
| lookup.field.input.* | A column in the lookup table to match against. Supply a non-empty value if the corresponding field has a different name in your actual events. |
| lookup.field.output.* | A column in the lookup table to output. Supply a non-empty value if the field should have a different name in your actual events. |
| overwrite | If set to true, output fields are always overridden. If set to false, output fields are only written out if they do not already exist. |
| stanza | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
| transform | The transforms.conf stanza that defines the lookup to apply. |
| type | Specifies the field extraction type.
For this endpoint, this is alwqys |
| value | The props.conf stanza to which this automatic lookup applies.
For example, the sourcetype or source that automatically triggers this lookup. The full name of the automatic lookup includes this stanza name as a prefix. |
[ Top ]
https://<host>:<mPort>/services/data/props/sourcetype-rename
Authentication: Not required
Provides access to renamed sourcetypes which are configured in props.conf.
| Method | Description | Formats |
|---|---|---|
| GET | List renamed sourcetypes. | XML, JSON |
| POST | Rename a sourcetype. | XML, JSON |
data/props/sourcetype-rename method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
data/props/sourcetype-rename method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The original sourcetype name. | |
| value required | String | The new sourcetype name. |
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
[ Top ]
https://<host>:<mPort>/services/data/props/sourcetype-rename/{name}
Authentication: Not required
Manage {name} sourcetype renaming.
| Method | Description | Formats |
|---|---|---|
| DELETE | Restore original sourcetype name. | XML, JSON |
| GET | List a single renamed sourcetype. | XML, JSON |
| POST | Rename a sourcetype again, i.e. modify a sourcetype's new name. | XML, JSON |
data/props/sourcetype-rename/{name} method detailNone
None
data/props/sourcetype-rename/{name} method detailNone
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
data/props/sourcetype-rename/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| value required | String | The new sourcetype name. |
| Name | Description |
|---|---|
| attribute | The configuration key. |
| stanza | The sourcetype to rename, which is the name of a stanza in props.conf. |
| type | The value of the configuration key. |
| value | The new name for the sourcetype. |
[ Top ]
https://<host>:<mPort>/services/data/transforms/extractions
Authentication: Not required
Provides access to field transformations, i.e. field extraction definitions.
| Method | Description | Formats |
|---|---|---|
| GET | List field transformations. | XML, JSON |
| POST | Create a new field transformation. | XML, JSON |
data/transforms/extractions method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
| eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
data/transforms/extractions method detail| Name | Type | Default | Description |
|---|---|---|---|
| CAN_OPTIMIZE | Bool | True | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.
NOTE: This option should rarely be set to false. |
| CLEAN_KEYS | Boolean | True | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| disabled | Boolean | Specifies whether the field transformation is disabled. | |
| FORMAT | String | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string. | |
| KEEP_EMPTY_VALS | Boolean | False | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| MV_ADD | Boolean | False | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| name required | String | The name of the field transformation. | |
| REGEX required | String | Specify a regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string. | |
| SOURCE_KEY required | String | _raw | Specify the KEY to which Splunk Enterprise applies REGEX. |
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
| eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
[ Top ]
https://<host>:<mPort>/services/data/transforms/extractions/{name}
Authentication: Not required
Manage {name} field transformation.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the named field transformation. | XML, JSON |
| GET | List a single field transformation. | XML, JSON |
| POST | Modify the named field transformation. | XML, JSON |
data/transforms/extractions/{name} method detailNone
None
data/transforms/extractions/{name} method detailNone
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
| eai:attributes | Field control information. |
| eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
data/transforms/extractions/{name} method detail| Name | Type | Default | Description | |
|---|---|---|---|---|
| REGEX | String | Specify a regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \tREGEX is required for all index-time transforms. REGEX and the FORMAT attribute: Name-capturing groups in the REGEX are extracted directly to fields. This means that you do not need to specify the FORMAT attribute for simple field extraction cases. If the REGEX extracts both the field name and its corresponding field value, you can use the following special capturing groups if you want to skip specifying the mapping in FORMAT: _KEY_<string>, _VAL_<string>. For example, the following are equivalent: \tUsing FORMAT: \t\tREGEX = ([a-z]+)=([a-z]+) \t\tFORMAT = $1::$2 \tWithout using FORMAT \t\tREGEX = (?<_KEY_1>[a-z]+)=(?<_VAL_1>[a-z]+) REGEX defaults to an empty string. | ||
| SOURCE_KEY | String | _raw | Specify the KEY to which Splunk Enterprise applies REGEX. | |
| CAN_OPTIMIZE | Bool | True | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled). You might use this when you have field discovery turned off--it ensures that certain fields are *always* discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is needed for the successful evaluation of a search.
NOTE: This option should rarely be set to false. | |
| CLEAN_KEYS | Boolean | True | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. | |
| FORMAT | String | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. FORMAT for index-time extractions: Use $n (for example $1, $2, etc) to specify the output of each REGEX match. If REGEX does not have n groups, the matching fails. The special identifier $0 represents what was in the DEST_KEY before the REGEX was performed. At index-time only, you can use FORMAT to create concatenated fields: FORMAT = ipaddress::$1.$2.$3.$4 When you create concatenated fields with FORMAT, "$" is the only special character. It is treated as a prefix for regex-capturing groups only if it is followed by a number and only if the number applies to an existing capturing group. So if REGEX has only one capturing group and its value is "bar", then: \t"FORMAT = foo$1" yields "foobar" \t"FORMAT = foo$bar" yields "foo$bar" \t"FORMAT = foo$1234" yields "foo$1234" \t"FORMAT = foo$1\\$2" yields "foobar\\$2" At index-time, FORMAT defaults to <stanza-name>::$1 FORMAT for search-time extractions: The format of this field as used during search time extractions is as follows: \tFORMAT = <field-name>::<field-value>( <field-name>::<field-value>)* \tfield-name = [<string>|$<extracting-group-number>] \tfield-value = [<string>|$<extracting-group-number>] Search-time extraction examples: \tFORMAT = first::$1 second::$2 third::other-value \tFORMAT = $1::$2 You cannot create concatenated fields with FORMAT at search time. That functionality is only available at index time. At search-time, FORMAT defaults to an empty string. | ||
| KEEP_EMPTY_VALS | Boolean | False | If set to true, Splunk Enterprise preserves extracted fields with empty values. | |
| MV_ADD | Boolean | False | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. | |
| disabled | Boolean | Specifies whether the field transformation is disabled. |
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: \\tREGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). \\tREGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if the field transformation is disabled. |
| eai:appName | The Splunk Enterprise app for which the field extractions are defined. For example, the search app. |
| eai:userName | The name of the Splunk Enterprise user who created the field extraction definitions. For example, the admin user. |
|}
[ Top ]
https://<host>:<mPort>/services/data/transforms/lookups
Authentication: Not required
Provides access to lookup definitions in transforms.conf.
| Method | Description | Formats |
|---|---|---|
| GET | List lookup definitions. | XML, JSON |
| POST | Create a new lookup definition. | XML, JSON |
data/transforms/lookups method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if this lookup is disabled. |
| eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
| eai:userName | The Splunk Enterprise user for which the lookups are defined. |
| external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
| fields_list | List of all fields that are supported by the external command. |
| type | Specifies the field extraction type.
Can be either external or file. |
data/transforms/lookups method detail| Name | Type | Default | Description |
|---|---|---|---|
| name | String | The name of the lookup definition. | |
| default_match | String | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. | |
| disabled | Boolean | Specifies whether the lookup definition is disabled. | |
| external_cmd | String | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. | |
| fields_list | String | A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups. | |
| filename | String | The name of the static lookup table file. | |
| max_matches | Number | The maximum number of possible matches for each input lookup value. | |
| max_offset_secs | Number | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. | |
| min_matches | Number | The minimum number of possible matches for each input lookup value. | |
| min_offset_secs | Number | For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur. | |
| time_field | String | For temporal lookups, this is the field in the lookup table that represents the timestamp. | |
| time_format | String | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| default_match | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. |
| disabled | Specifies whether the lookup definition is disabled. |
| eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
| eai:userName | The Splunk Enterprise user for which the lookups are defined. |
| external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
| fields_list | List of all fields that are supported by the external command. Use this for external (or "scripted") lookups. |
| filename | The name of the static lookup table file. |
| max_matches | The maximum number of possible matches for each input lookup value.
If the lookup is non-temporal (not time-bounded, meaning the time_field attribute is not specified), Splunk Enterprise uses the first <integer> entries, in file order. If the lookup is temporal, Splunk Enterprise uses the first <integer> entries in descending time order. Default = 100 if the lookup is not temporal, default = 1 if it is temporal. |
| max_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| min_matches | The minimum number of possible matches for each input lookup value. |
| min_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| time_field | For temporal lookups, this is the field in the lookup table that represents the timestamp. |
| time_format | For temporal lookups, this specifies the \\"strptime\\" format of the timestamp field. |
| type | Specifies the field extraction type.
Can be either external or file. |
[ Top ]
https://<host>:<mPort>/services/data/transforms/lookups/{name}
Authentication: Not required
Manage the {name} lookup definition.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the named lookup definition. | XML, JSON |
| GET | List a single lookup definition. | XML, JSON |
| POST | Modify the named lookup definition. | XML, JSON |
data/transforms/lookups/{name} method detailNone
None
data/transforms/lookups/{name} method detailNone
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Indicates whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | Indicates whether Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | Indicates whether Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | For index-time filed extractions. Specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | "If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| disabled | Indicates if this lookup is disabled. |
| eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
| eai:attributes | Field control information. |
| eai:userName | The Splunk Enterprise user for which the lookups are defined. |
| filename | The name of the static lookup table file. |
| type | Specifies the field extraction type.
Can be either external or file. |
data/transforms/lookups/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| default_match | String | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. | |
| disabled | Boolean | Specifies whether the lookup definition is disabled. | |
| external_cmd | String | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. | |
| fields_list | String | A comma- and space-delimited list of all fields that are supported by the external command. Use this for external (or "scripted") lookups. | |
| filename | String | The name of the static lookup table file. | |
| max_matches | Number | The maximum number of possible matches for each input lookup value. | |
| max_offset_secs | Number | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. | |
| min_matches | Number | The minimum number of possible matches for each input lookup value. | |
| min_offset_secs | Number | For temporal lookups, this is the minimum time (in seconds) that the event timestamp can be later than the lookup entry timestamp for a match to occur. | |
| time_field | String | For temporal lookups, this is the field in the lookup table that represents the timestamp. | |
| time_format | String | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
| Name | Description |
|---|---|
| CAN_OPTIMIZE | Controls whether Splunk Enterprise can optimize this extraction out (another way of saying the extraction is disabled).
You might use this when you have field discovery turned off--it ensures that certain fields are always discovered. Splunk Enterprise only disables an extraction if it can determine that none of the fields identified by the extraction is ever needed for the successful evaluation of a search. |
| CLEAN_KEYS | If set to true, Splunk Enterprise "cleans" the field names extracted at search time by replacing non-alphanumeric characters with underscores and stripping leading underscores. |
| DEFAULT_VALUE | Optional attribute for index-time field extractions. Splunk Enterprise writes the specified value to DEST_KEY if the specified REGEX fails. |
| DEST_KEY | Valid for index-time field extractions, specifies where Splunk Enterprise stores the REGEX results. |
| FORMAT | This option is valid for both index-time and search-time field extractions. However, FORMAT behaves differently depending on whether the extraction is performed at index time or search time.
This attribute specifies the format of the event, including any field names or values you want to add. For details, refer to the documentation for this parameter in the POST operation for data/transforms/extractions. |
| KEEP_EMPTY_VALS | If set to true, Splunk Enterprise preserves extracted fields with empty values. |
| LOOKAHEAD | Optional attribute for index-time filed extractions. specifies how many characters to search into an event.
Defaults to 4096. You may want to increase this value if you have event line lengths that exceed 4096 characters (before linebreaking). |
| MV_ADD | If Splunk Enterprise extracts a field that already exists and MV_ADD is set to true, the field becomes multivalued, and the newly-extracted value is appended. If MV_ADD is set to false, the newly-extracted value is discarded. |
| REGEX | The regular expression to operate on your data.
This attribute is valid for both index-time and search-time field extractions: REGEX is required for all search-time transforms unless you are setting up a delimiter-based field extraction, in which case you use DELIMS (see the DELIMS attribute description, below). REGEX is required for all index-time transforms. For details, see the documentation for this parameter in the POST operation. |
| SOURCE_KEY | The KEY to which Splunk Enterprise applies REGEX. |
| WRITE_META | Indicates whether to automatically write REGEX to metadata.
This attribute is required for all index-time field extractions except for those where DEST_KEY = meta (see the description of the DEST_KEY attribute). Use instead of DEST_KEY = meta. |
| default_match | If min_matches is greater than zero and Splunk Enterprise has less than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. |
| disabled | Specifies whether the lookup definition is disabled. |
| eai:appName | The Splunk Enterprise app for which the lookups are defined. For example, the search app. |
| eai:userName | The Splunk Enterprise user for which the lookups are defined. |
| external_cmd | Provides the command and arguments to invoke to perform a lookup. Use this for external (or "scripted") lookups, where you interface with with an external script rather than a lookup table.
This string is parsed like a shell command. The first argument is expected to be a python script located in: $SPLUNK_HOME/etc/<app_name>/bin (or ../etc/searchscripts) Presence of this field indicates that the lookup is external and command based. |
| fields_list | List of all fields that are supported by the external command. Use this for external (or "scripted") lookups. |
| filename | The name of the static lookup table file. |
| max_matches | The maximum number of possible matches for each input lookup value. |
| max_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| min_matches | The minimum number of possible matches for each input lookup value. |
| min_offset_secs | For temporal lookups, this is the maximum time (in seconds) that the event timestamp can be later than the lookup entry time for a match to occur. |
| time_field | For temporal lookups, this is the field in the lookup table that represents the timestamp. |
| time_format | For temporal lookups, this specifies the "strptime" format of the timestamp field. |
| type | Specifies the field extraction type.
Can be either external or file. |
[ Top ]
https://<host>:<mPort>/services/datamodel/acceleration
Authentication: Not required
Access information about data models that have acceleration enabled.
| Method | Description | Formats |
|---|---|---|
| GET | List information about data models that have acceleration enabled. | XML, JSON |
datamodel/acceleration method detailPagination and filtering parameters can be used with this method.
None
Refer to Manage data models for more implementation information about data models and acceleration.
[ Top ]
https://<host>:<mPort>/services/datamodel/acceleration/{name}
Authentication: Not required
Get information about the {name} datamodel.
| Method | Description | Formats |
|---|---|---|
| GET | List information about the named data model, which has acceleration enabled. | XML, JSON |
datamodel/acceleration/{name} method detailNone
| Name | Description |
|---|---|
| acceleration | Indicates if acceleration is enabled for this data model. |
| acceleration.earliest_time | The earliest time to dispatch the search. |
| search | Specifies the search to accelerate this data model. |
[ Top ]
https://<host>:<mPort>/services/datamodel/model
Authentication: Not required
Access information about data models.
| Method | Description | Formats |
|---|---|---|
| GET | List data models on the server. | XML, JSON |
| POST | Create a new data model. | XML, JSON |
datamodel/model method detail| Name | Type | Default | Description |
|---|---|---|---|
| concise | Boolean | Indicates whether to list a concise JSON description of the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| acceleration | Indicates whether acceleration is enabled for the data model. |
| concise | Indicates whether to list a concise JSON description of the data model. |
| description | The JSON describing the data model. |
| displayName | The name displayed for the data model in Splunk Web. |
| eai:appName | The Splunk Enterprise app in which the data model was created. |
| eai:userName | The name of the Splunk Enterprise user who created the data model. |
For more implementation information on data models refer to About data models in the Knowledge Manager manual.
datamodel/model method detail| Name | Type | Default | Description |
|---|---|---|---|
| description | String | JSON description of the data model. | |
| name | String | Name of the data model. | |
| acceleration | String | Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
For example: acceleration='{"enabled": true, "acceleration.earliest_time": -1mon, "acceleration.cron_schedule": 0 */12 * * *}' | |
| concise | Boolean | Indicates whether to return a concise JSON description of the data model after creating the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
None
For more implementation information on data models refer to About data models in the Knowledge Manager manual.
[ Top ]
https://<host>:<mPort>/services/datamodel/model/{name}
Authentication: Not required
Manage the {name} datamodel resource.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a data model resource. | XML, JSON |
| GET | List information about a data model resource. | XML, JSON |
| POST | Update a data model resource. | XML, JSON |
datamodel/model/{name} method detailNone
None
datamodel/model/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| concise | Boolean | Indicates whether to list a concise JSON description of the data model.
The concise description is a summary for human readability. It is not used to create the data model. |
| Name | Description |
|---|---|
| acceleration | Indicates whether acceleration is enabled for the data model. |
| concise | Indicates whether to list a concise JSON description of the data model. |
| description | The JSON describing the data model. |
| displayName | The name displayed for the data model in Splunk Web. |
| eai:appName | The Splunk Enterprise app in which the data model was created. |
| eai:attributes | Field control information. |
| eai:userName | The name of the Splunk Enterprise user who created the data model. |
datamodel/model/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| acceleration | String | Specify the acceleration settings for the data model. Supply JSON to specify any or all of the following settings:
For example: acceleration='{"enabled": true, "acceleration.earliest_time": -1mon, "acceleration.cron_schedule": 0 */12 * * *}' | |
| concise | Boolean | Indicates whether to return a concise JSON description of the data model after creating the data model.
The concise description is a summary for human readability. It is not used to create the data model. | |
| description | String | JSON description of the data model. | |
| provisional | Boolean | Indicates whether the data model is provisional. Provisional data models are not saved.
Specify true to validate a data model before saving it. If the endpoint returns with no errors, then specify this endpoint again, with provisional set to false, to save the data model. |
| Name | Description |
|---|---|
| acceleration | Indicates whether acceleration is enabled for the data model. |
| concise | Indicates whether to list a concise JSON description of the data model. |
| description | The JSON describing the data model. |
| displayName | The name displayed for the data model in Splunk Web. |
| eai:appName | The Splunk Enterprise app in which the data model was created. |
| eai:attributes | Field control information. |
| eai:userName | The name of the Splunk Enterprise user who created the data model. |
[ Top ]
https://<host>:<mPort>/services/datamodel/pivot
Authentication: Not required
Provides access to pivots that are based on named data models.
| Method | Description | Formats |
|---|---|---|
| GET | List information about the supplied pivot based on the named data model. | XML, JSON |
datamodel/pivot method detail| Name | Type | Default | Description |
|---|---|---|---|
| pivot_json | String | JSON specifying a pivot based on the named data model.
Typically, you URL encode this parameter. This endpoint requires either this pivot_json parameter or a pivot_search parameter. | |
| pivot_search | String | A pivot search command based on the named data model.
Typically, you URL encode this parameter. This endpoint requires either a pivot_json or this pivot_search parameter. |
| Name | Description |
|---|---|
| drilldown_search | The search for running this pivot report using drilldown |
| open_in_search | Equivalent to search parameter, but listed more simply. |
| pivot_json | JSON specifying a pivot based on the named data model. |
| pivot_search | A pivot search command based on the named data model. |
| search | The search string for running the pivot report |
| tstats_search | The search for running this pivot report using tstats |
For information on pivot implementation refer to the Splunk Pivot manual.
{name} refers to a data model on the system.
Specify a pivot using either the pivot_search or pivot_json parameter.
[ Top ]
https://<host>:<mPort>/services/directory
Authentication: Not required
Provides access to user configurable objects.
These objects includes search commands, UI views, UI navigation, saved searches and event types. This is useful to see which objects are provided by all apps, or a specific app when the call is namespaced. The specific configuration in restmap.conf is showInDirSvc.
| Method | Description | Formats |
|---|---|---|
| GET | Provides an enumeration of app-scoped objects. | XML, JSON |
directory method detailPagination and filtering parameters can be used with this method.
None
an enumeration of the following app scoped objects:
event types
saved searches
time configurations
views
navs
manager XML
quickstart XML
search commands
macros
tags
field extractions
lookups
workflow actions
field aliases
sourcetype renames
This is useful to see which apps provide which objects, or all the objects provided by a specific app. To change the visibility of an object type in this listing, use the showInDirSvc in restmap.conf.
[ Top ]
https://<host>:<mPort>/services/directory/{name}
Authentication: Not required
Get information about the {name} directory entity.
| Method | Description | Formats |
|---|---|---|
| GET | Displays information about a single entity in the directory service enumeration. | XML, JSON |
directory/{name} method detailNone
| Name | Description |
|---|---|
| eai:type | Entity type. |
This is rarely used. Typically after using the directory service enumeration, a client follows the specific link for an object in an enumeration.
[ Top ]
https://<host>:<mPort>/services/saved/eventtypes
Authentication: Not required
Provides access to saved event types.
| Method | Description | Formats |
|---|---|---|
| GET | Retrieve saved event types. | XML, JSON |
| POST | Creates a new event type. | XML, JSON |
saved/eventtypes method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if the event type is disabled. |
| eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
| eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use the tags.conf.spec file to assign tags to groups of events with related field values. |
saved/eventtypes method detail| Name | Type | Default | Description |
|---|---|---|---|
| name | String | The name for the event type. | |
| search | String | Search terms for this event type. | |
| description | String | Human-readable description of this event type. | |
| disabled | Boolean | 0 | If True, disables the event type. |
| priority | Number | 1 | Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| tags | String | [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values. |
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if this event type is disabled. |
| eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
| eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use tags.conf.spec file to assign tags to groups of events with related field values. |
[ Top ]
https://<host>:<mPort>/services/saved/eventtypes/{name}
Authentication: Not required
Manage the {name} event type.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes this event type. | XML, JSON |
| GET | Returns information on this event type. | XML, JSON |
| POST | Updates this event type. | XML, JSON |
saved/eventtypes/{name} method detailNone
None
saved/eventtypes/{name} method detailNone
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if the event type is disabled. |
| eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
| eai:attributes | Field control information. |
| eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use the tags.conf.spec file to assign tags to groups of events with related field values. |
saved/eventtypes/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| search | String | Search terms for this event type. | |
| description | String | Human-readable description of this event type. | |
| disabled | Boolean | 0 | If True, disables the event type. |
| priority | Number | 1 | Specify an integer from 1 to 10 for the value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| tags | String | [Deprecated] Use tags.conf.spec file to assign tags to groups of events with related field values. |
| Name | Description |
|---|---|
| description | Description of this event type. |
| disabled | Indicates if this event type is disabled. |
| eai:appName | The Splunk Enterprise app for which this event type applies. For example, the Splunk search app. |
| eai:userName | Splunk Enterprise user name of the creator of this event type. For example, the Splunk admin user. |
| priority | The value used to determine the order in which the matching event types of an event are displayed. 1 is the highest priority. |
| search | Search terms for this event type. |
| tags | [Deprecated] Tags associated with this event type.
Use tags.conf.spec file to assign tags to groups of events with related field values. |
the search must be re-specified for this edit.
URI-encode the search string if it contains any of the following characters: =, &, ?, %
Otherwise, these characters can be interpreted as part of the HTTP request.
[ Top ]
https://<host>:<mPort>/services/search/fields
Authentication: Not required
Provides management for search field configurations.
Field configuration is specified in $SPLUNK_HOME/etc/system/default/fields.conf, with overriden values in $SPLUNK_HOME/etc/system/local/fields.conf.
| Method | Description | Formats |
|---|---|---|
| GET | Returns a list of fields registered for field configuration. | XML, JSON |
search/fields method detailNone
None
[ Top ]
https://<host>:<mPort>/services/search/fields/{field_name}
Authentication: Not required
Get information about the {field_name} field.
| Method | Description | Formats |
|---|---|---|
| GET | Retrieves information about the named field. | XML, JSON |
search/fields/{field_name} method detailNone
None
[ Top ]
https://<host>:<mPort>/services/search/fields/{field_name}/tags
Authentication: Not required
Manage the tags associated with the {field_name} field.
| Method | Description | Formats |
|---|---|---|
| GET | Returns a list of tags associated with the field specified by {field_name}. | XML, JSON |
| POST | Update the tags associated with the field specified by {field_name}. | XML, JSON |
search/fields/{field_name}/tags method detailNone
None
search/fields/{field_name}/tags method detail| Name | Type | Default | Description |
|---|---|---|---|
| value | String | The specific field value on which to bind the tags. | |
| add | String | The tag to attach to this field_name:value combination.
| |
| delete | String | The tag to remove to this field_name::value combination.
|
None
The value parameter specifies the specific value on which to bind tag actions. Multiple tags can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then processes the deletes.
You must specify at least one add or delete parameter.
[ Top ]
https://<host>:<mPort>/services/search/tags
Authentication: Not required
Provides management of search time tags.
| Method | Description | Formats |
|---|---|---|
| GET | Returns a list of all search time tags. | XML, JSON |
search/tags method detailNone
None
[ Top ]
https://<host>:<mPort>/services/search/tags/{tag_name}
Authentication: Not required
Manage {tag_name} values.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes the tag, and its associated field:value pair assignments. | XML, JSON |
| GET | Returns a list of field:value pairs associated with the tag specified by {tag_name}. | XML, JSON |
| POST | Updates the field:value pairs associated with {tag_name}. | XML, JSON |
search/tags/{tag_name} method detailNone
None
The resulting change in tags.conf is to set all field:value pairs to disabled.
search/tags/{tag_name} method detailNone
None
search/tags/{tag_name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| add | String | A field:value pair to tag with {tag_name}. | |
| delete | String | A field:value pair to remove from {tag_name}. |
None
Multiple field:value pairs can be attached by passing multiple add or delete form parameters. The server processes all of the adds first, and then deletes.
If {tag_name} does not exist, then the tag is created inline. Notification is sent to the client using the HTTP 201 status.
[ Top ]
https://<host>:<mPort>/services/admin/summarization/?by_tstats=1
Review data model acceleration information.
Authentication: Required. Authorization to access data model acceleration information is role-based.
| Method | Description | Formats |
|---|---|---|
| GET | Returns a list of field:value pairs giving current data model acceleration information. | XML, JSON |
[ Top ]
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T19:26:11-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T19:26:11-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl nodes elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/lookup-in-staging-dir.csv -d name=lookup.csv
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:26:35-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:26:35-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:43:11-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:37:25-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:37:25-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>eai:data</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv -d eai:data=/opt/splunk/var/run/splunk/lookup_tmp/another-lookup-in-staging-dir.csv
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>lookup-table-files</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files</id>
<updated>2011-07-21T18:41:52-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lookup.csv</title>
<id>https://localhost:8089/servicesNS/admin/search/data/lookup-table-files/lookup.csv</id>
<updated>2011-07-21T18:41:52-07:00</updated>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="list"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="edit"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv" rel="remove"/>
<link href="/servicesNS/admin/search/data/lookup-table-files/lookup.csv/move" rel="move"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:data">
<![CDATA[/opt/splunk/etc/users/admin/search/lookups/lookup.csv]]> </s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:01:50-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:01:50-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields -d name=response_time -d stanza=%3Caccess_common%3E -d value=response_time/1000
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T14:58:45-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T14:58:45-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:33:06-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:05:09-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:05:09-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
... eai:attributes node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/1000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time -d value=response_time/100
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>props-eval</title>
<id>https://localhost:8089/services/data/props/calcfields</id>
<updated>2012-10-01T15:14:19-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/props/calcfields/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title><access_common> : EVAL-response_time</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time</id>
<updated>2012-10-01T15:14:19-07:00</updated>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="list"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/calcfields/%3Caccess_common%3E%20%3A%20EVAL-response_time/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EVAL-response_time</s:key>
... eai:acl node elided ...
<s:key name="field.name">response_time</s:key>
<s:key name="stanza"><access_common></s:key>
<s:key name="type">EVAL</s:key>
<s:key name="value">response_time/100</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T22:55:04-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>access_combined : REPORT-access</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access</id>
<updated>2011-07-10T22:55:04-07:00</updated>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="list"/>
<link href="/servicesNS/nobody/system/data/props/extractions/access_combined%20%3A%20REPORT-access" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">REPORT-access</s:key>
... eai:acl node elided ...
<s:key name="stanza">access_combined</s:key>
<s:key name="type">Uses transform</s:key>
<s:key name="value">access-extractions</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions -d name=port -d stanza=ftp_log -d type=EXTRACT -d "value=port (?<port_number>\d+)"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T22:56:17-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T22:56:17-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:05:42-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:02:31-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T23:02:31-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>value</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">connection on port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port -d "value=connection on port (?<port_number>\d+)"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions</id>
<updated>2011-07-10T23:05:05-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>ftp_log : EXTRACT-port</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port</id>
<updated>2011-07-10T23:05:05-07:00</updated>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="list"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/extractions/ftp_log%20%3A%20EXTRACT-port/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">EXTRACT-port</s:key>
... eai:acl node elided ...
<s:key name="stanza">ftp_log</s:key>
<s:key name="type">Inline</s:key>
<s:key name="value">connection on port (?<port_number>\d )</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:31:41-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:31:41-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases -d name=alias_name -d stanza=my_sourcetype -d alias.foo=bar
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:30:17-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:30:17-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:37:45-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:33:00-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:33:00-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.foo">bar</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>alias\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">foo AS bar</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name -d alias.hi=hello -d alias.bye=goodbye
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>fieldaliases</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases</id>
<updated>2011-07-21T19:34:36-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : FIELDALIAS-alias_name</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name</id>
<updated>2011-07-21T19:34:36-07:00</updated>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="list"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/fieldaliases/my_sourcetype%20%3A%20FIELDALIAS-alias_name/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="alias.bye">goodbye</s:key>
<s:key name="alias.hi">hello</s:key>
<s:key name="attribute">FIELDALIAS-alias_name</s:key>
... eai:acl node elided ...
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="type">FIELDALIAS</s:key>
<s:key name="value">bye AS goodbye hi AS hello</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:43:53-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:43:53-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups -d name=my_lookup -d overwrite=1 -d stanza=my_sourcetype -d transform=my_transform -d lookup.field.input.foo= -d lookup.field.output.fuzz=
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:43:31-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:43:31-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:32-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:06-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:44:06-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>overwrite</s:item>
<s:item>transform</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>lookup\.field\.input\..*</s:item>
<s:item>lookup\.field\.output\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="lookup.field.input.foo"/>
<s:key name="lookup.field.output.fuzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">my_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">my_transform foo OUTPUT fuzz</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup -d overwrite=1 -d transform=other_transform -d lookup.field.input.bar= -d lookup.field.output.buzz=
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>props-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups</id>
<updated>2011-08-01T20:44:21-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_sourcetype : LOOKUP-my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup</id>
<updated>2011-08-01T20:44:21-07:00</updated>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/lookups/my_sourcetype%20%3A%20LOOKUP-my_lookup/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">LOOKUP-my_lookup</s:key>
... eai:acl node elided ...
<s:key name="lookup.field.input.bar"/>
<s:key name="lookup.field.output.buzz"/>
<s:key name="overwrite">1</s:key>
<s:key name="stanza">my_sourcetype</s:key>
<s:key name="transform">other_transform</s:key>
<s:key name="type">LOOKUP</s:key>
<s:key name="value">other_transform bar OUTPUT buzz</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:40:53-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:40:53-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename -d name=hardware -d value=hw
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:39:57-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:39:57-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:49:16-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:44:47-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:44:47-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>value</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hw</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware -d value=hrdwr
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype-rename</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename</id>
<updated>2011-07-12T15:46:58-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>hardware</title>
<id>https://localhost:8089/servicesNS/admin/search/data/props/sourcetype-rename/hardware</id>
<updated>2011-07-12T15:46:58-07:00</updated>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="list"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="edit"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware" rel="remove"/>
<link href="/servicesNS/admin/search/data/props/sourcetype-rename/hardware/move" rel="move"/>
<content type="text/xml">
<s:dict>
<s:key name="attribute">rename</s:key>
... eai:acl node elided ...
<s:key name="stanza">hardware</s:key>
<s:key name="type">rename</s:key>
<s:key name="value">hrdwr</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:28:03-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>access-extractions</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/transforms/extractions/access-extractions</id>
<updated>2011-07-21T20:28:03-07:00</updated>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="list"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions" rel="edit"/>
<link href="/servicesNS/nobody/system/data/transforms/extractions/access-extractions/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">
<![CDATA[^[[nspaces:clientip]]\s++[[nspaces:ident]]\s++[[nspaces:user]]\s++[[sbstring:req_time]]\s++[[access-request]]\s++[[nspaces:status]]\s++[[nspaces:bytes]](?:\s++"(?<referer>[[bc_domain:referer_]]?+[^"]*+)"(?:\s++[[qstring:useragent]](?:\s++[[qstring:cookie]])?+)?+)?[[all:other]]]]> </s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d name=my_transform
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:25:20-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:25:20-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:34:30-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:29:00-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:29:00-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>CAN_OPTIMIZE</s:item>
<s:item>CLEAN_KEYS</s:item>
<s:item>FORMAT</s:item>
<s:item>KEEP_EMPTY_VALS</s:item>
<s:item>MV_ADD</s:item>
<s:item>disabled</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>REGEX</s:item>
<s:item>SOURCE_KEY</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform -d REGEX="(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)" -d SOURCE_KEY=_raw -d CLEAN_KEYS=false
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-extract</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions</id>
<updated>2011-07-21T20:33:13-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_transform</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/extractions/my_transform</id>
<updated>2011-07-21T20:33:13-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/extractions/my_transform/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">0</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX">(?<_KEY_1>[a-z]*),(?<_VAL_1>[a-z]*)</s:key>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:10:44-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dnslookup</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/transforms/lookups/dnslookup</id>
<updated>2011-08-01T21:10:44-07:00</updated>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="list"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup" rel="edit"/>
<link href="/servicesNS/nobody/system/data/transforms/lookups/dnslookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="external_cmd">external_lookup.py clienthost clientip</s:key>
<s:key name="fields_list">clienthost clientip</s:key>
<s:key name="type">external</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups -d name=my_lookup -d filename=lookup.csv
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:10:33-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-08-01T21:10:33-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="filename">lookup.csv</s:key>
<s:key name="type">file</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-07-21T20:03:24-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-08-01T21:11:01-07:00</updated>
<generator version="105049"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-08-01T21:11:01-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>default_match</s:item>
<s:item>disabled</s:item>
<s:item>external_cmd</s:item>
<s:item>fields_list</s:item>
<s:item>filename</s:item>
<s:item>max_matches</s:item>
<s:item>max_offset_secs</s:item>
<s:item>min_matches</s:item>
<s:item>min_offset_secs</s:item>
<s:item>time_field</s:item>
<s:item>time_format</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="filename">lookup.csv</s:key>
<s:key name="type">file</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup -d external_cmd=myscript.py -d fields_list=a,b,c
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>transforms-lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups</id>
<updated>2011-07-21T20:00:07-07:00</updated>
<generator version="104309"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/_new" rel="create"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>my_lookup</title>
<id>https://localhost:8089/servicesNS/admin/search/data/transforms/lookups/my_lookup</id>
<updated>2011-07-21T20:00:07-07:00</updated>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="list"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="edit"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup" rel="remove"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/move" rel="move"/>
<link href="/servicesNS/admin/search/data/transforms/lookups/my_lookup/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="CAN_OPTIMIZE">1</s:key>
<s:key name="CLEAN_KEYS">1</s:key>
<s:key name="DEFAULT_VALUE"/>
<s:key name="DEST_KEY"/>
<s:key name="FORMAT"/>
<s:key name="KEEP_EMPTY_VALS">0</s:key>
<s:key name="LOOKAHEAD">4096</s:key>
<s:key name="MV_ADD">0</s:key>
<s:key name="REGEX"/>
<s:key name="SOURCE_KEY">_raw</s:key>
<s:key name="WRITE_META">0</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="external_cmd">myscript.py</s:key>
<s:key name="fields_list">a,b,c</s:key>
<s:key name="type">external</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration
feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
<updated>2013-08-24T12:45:20-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>simpleMyAppModel</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
<updated>2013-08-24T12:45:20-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">1</s:key>
<s:key name="acceleration.earliest_time">-1mon</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="search"><![CDATA[uri=* status=* clientip=* referer=* useragent=* (sourcetype=access_*) (status < 600) |
. . . elided . . .
"HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/datamodel/acceleration/simpleMyAppModel
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/acceleration</id>
<updated>2013-08-24T12:55:07-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>simpleMyAppModel</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel</id>
<updated>2013-08-24T12:55:07-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/acceleration/simpleMyAppModel" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">1</s:key>
<s:key name="acceleration.earliest_time">-1mon</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">9a9dba7c96b3f81554e3773b8d8fe45e</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="search"><![CDATA[uri=* status=* clientip=* referer=* useragent=* (sourcetype=access_*) (status < 600) |
. . . elided . . .
"HTTP_Request.HTTP_Success.is_not_Pageview", "HTTP_Request.HTTP_Success.Pageview.myevalfield2"]]>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/datamodel/model
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-15T11:42:06-07:00</updated>
<generator build="176231" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-23T15:03:13-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description"><![CDATA[{"objects": [{"lineage": "HTTP_Request", "previewSearch": " | search (sourcetype=access_* OR sourcetype=iis*)
. . . elided . . .
"modelName": "MyApp", "displayName": "Web Intelligence"}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_change_perms">1</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_share_app">1</s:key>
<s:key name="can_share_global">1</s:key>
<s:key name="can_share_user">0</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">1</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>power</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">app</s:key>
</s:dict>
</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
curl -k -u admin:pass https://localhost:8089/services/datamodel/model -d name=Debugger --data-urlencode description='{"modelName":"Debugger","displayName":"Debugger", "description": "A data model for debugging purposes". . . elided . . . }'
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://qa-sv-rh61x64-10:8089/services/datamodel/model</id>
<updated>2013-10-16T11:19:24-07:00</updated>
<generator build="183095" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Debugger</title>
<id>https://qa-sv-rh61x64-10:8089/servicesNS/admin/search/datamodel/model/Debugger</id>
<updated>2013-10-16T11:19:24-07:00</updated>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="list"/>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="edit"/>
<link href="/servicesNS/admin/search/datamodel/model/Debugger" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description">
<![CDATA[{"displayName": "Debugger", "modelName": "Debugger", "objectSummary": \
...
"autoextractSearch": " (index = _internal) "}]}]]>
</s:key>
<s:key name="displayName">Debugger</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
{'optionalFields': ['acceleration', 'acceleration.cron_schedule', \
'acceleration.earliest_time', 'eai:data'], 'requiredFields': [], 'wildcardFields': []}
</s:key>
<s:key name="eai:digest">05ca1a193365a3b613b919c6401591e3</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/datamodel/model/MyApp
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T15:00:54-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T13:07:36-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-24T13:07:36-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false}</s:key>
<s:key name="description"><![CDATA[{"modelName": "MyApp", "objectNameList": ["HTTP_Request", "ApacheAccessSearch", "IISAccessSearch",
. . . elided . . .
"Interface Implementations": 0, "Search-Based": 1}, "description": "Data model for web analytics.", "displayName": "Web Intelligence"}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>acceleration</s:item>
<s:item>concise</s:item>
<s:item>description</s:item>
<s:item>provisional</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">b8ebd9315dddf8a5e572187f57ddc9de</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/datamodel/model/MyApp -d concise=true
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://myserver-centos62x64-4:8789/services/datamodel/model</id>
<updated>2013-08-24T13:35:54-07:00</updated>
<generator build="178272" version="6.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/datamodel/model/_new" rel="create"/>
<link href="/services/datamodel/model/desc" rel="desc"/>
<link href="/services/datamodel/model/report" rel="report"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>MyApp</title>
<id>https://myserver-centos62x64-4:8789/servicesNS/nobody/search/datamodel/model/MyApp</id>
<updated>2013-08-24T13:35:54-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="list"/>
<link href="/servicesNS/nobody/search/datamodel/model/MyApp" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="acceleration">{"enabled": false, "earliest_time": "-1mon"}</s:key>
<s:key name="description"><![CDATA[{"modelName": "MyApp", "objects": [{"constraints": [{"search": "sourcetype=access_* OR
. . . elided . . .
"PodcastDownload", "WebSession", "User"], "description": "Data model for web analytics."}]]>
</s:key>
<s:key name="displayName">Web Intelligence</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">{'wildcardFields': [], 'requiredFields': [], 'optionalFields': ['acceleration', 'acceleration.cron_schedule', 'acceleration.earliest_time', 'eai:data']}</s:key>
<s:key name="eai:digest">d73ff2d833e3104eed99a8fd258dbae1</s:key>
<s:key name="eai:type">datamodels</s:key>
<s:key name="eai:userName">admin</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass -G https://localhost:8089/services/datamodel/pivot/Authentication --data-urlencode pivot_search='| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"'
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title></title>
<id>https://localhost:8089/services/datamodel/pivot</id>
<updated>2013-08-26T15:07:57-07:00</updated>
<generator build="178683" version="20130826"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Authentication</title>
<id>https://localhost:8089/servicesNS/nobody/search/datamodel/pivot/Authentication</id>
<updated>2013-08-26T15:07:57-07:00</updated>
<link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/datamodel/pivot/Authentication" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="drilldown_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>is_pivot_command</s:item>
<s:item>namespace</s:item>
<s:item>pivot_json</s:item>
<s:item>pivot_search</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:digest">e74d56a3b4a25256028f3a236e3d2cbc</s:key>
<s:key name="eai:type">models</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="open_in_search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="pivot_json"><![CDATA[{"rowFormat": {"showSummary": false}, "cells": [{"label": "Count of Untagged Authentication (S.o.S)", "value": "count", "fieldName": "Untagged_Authentication", "type": "objectCount", "owner": "Untagged_Authentication"}], "filters": [], "modelName": "Authentication", "baseClass": "Untagged_Authentication", "rows": [], "columns": [], "colFormat": {"showSummary": false, "showOther": true}}]]></s:key>
<s:key name="pivot_search">| pivot Authentication Untagged_Authentication count(Untagged_Authentication) AS "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="search">| search (login OR "log in" OR authenticated) sourcetype!=stash NOT tag=authentication | stats count AS "Count of Untagged Authentication (S.o.S)" | fields , "Count of Untagged Authentication (S.o.S)"| fillnull "Count of Untagged Authentication (S.o.S)"</s:key>
<s:key name="tstats_search"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>directory</title>
<id>https://localhost:8089/services/directory</id>
<updated>2011-05-16T19:03:40-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>_admin</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/ui/views/_admin</id>
<updated>2011-05-16T19:03:40-0700</updated>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="list"/>
<link href="/servicesNS/nobody/system/data/ui/views/_admin/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/ui/views/_admin" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>abc</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/abc</id>
<updated>2011-05-16T19:03:40-0700</updated>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="alternate"/>
<author>
<name>ssorkin</name>
</author>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="list"/>
<link href="/servicesNS/nobody/search/data/ui/views/abc/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/ui/views/abc" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/directory/dashboard_live
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>directory</title>
<id>https://localhost:8089/services/directory</id>
<updated>2011-05-16T19:09:59-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>dashboard_live</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/ui/views/dashboard_live</id>
<updated>2011-05-16T19:09:59-0700</updated>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="list"/>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/ui/views/dashboard_live" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:type">views</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:46:52-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>internal_search_terms</title>
<id>https://localhost:8089/servicesNS/nobody/system/saved/eventtypes/internal_search_terms</id>
<updated>2011-07-10T23:46:52-07:00</updated>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="list"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms" rel="edit"/>
<link href="/servicesNS/nobody/system/saved/eventtypes/internal_search_terms/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">
<![CDATA[( "After evaluating args" OR "Before evaluating args" OR "context dispatched for search=" OR "SearchParser - PARSING" OR "got search" OR "_dispatchNewSearch - search" OR "search:* - q" OR ( decomposition fullsearch ) OR "PAAAAAARSER! - search" OR "view:* - DECOMPOSITION" OR "Splunk.Module.SearchBar .setInputField" OR ( typeahead prefix ) OR "DEBUG HTTPServer - Deleting request=GET" OR /en-US/api/search/typeahead )]]> </s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes -d name="client-errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:47:10-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:47:10-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:48:29-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:47:17-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:47:17-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>priority</s:item>
<s:item>tags</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors -d description="HTTP Client Errors" --data-urlencode search=search="http client error NOT (403 OR 404)"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>eventtypes</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes</id>
<updated>2011-07-10T23:48:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/eventtypes/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>client-errors</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/eventtypes/client-errors</id>
<updated>2011-07-10T23:48:22-07:00</updated>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="list"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="edit"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors" rel="remove"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/eventtypes/client-errors/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="description">HTTP Client Errors</s:key>
<s:key name="disabled">0</s:key>
... eai:acl node elided ...
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="priority">1</s:key>
<s:key name="search">search</s:key>
<s:key name="tags">
<s:list/>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Fields</title>
<id>/servicesNS/admin/search/search/fields</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>_indextime</title>
<id>/servicesNS/admin/search/search/fields/_indextime</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/_indextime" rel="alternate"/>
</entry>
<entry>
<title>_sourcetype</title>
<id>/servicesNS/admin/search/search/fields/_sourcetype</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/_sourcetype" rel="alternate"/>
</entry>
<entry>
<title>date_hour</title>
<id>/servicesNS/admin/search/search/fields/date_hour</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/date_hour" rel="alternate"/>
</entry>
. . . elided . . .
<entry>
<title>splunk_server</title>
<id>/servicesNS/admin/search/search/fields/splunk_server</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/splunk_server" rel="alternate"/>
</entry>
<entry>
<title>timeendpos</title>
<id>/servicesNS/admin/search/search/fields/timeendpos</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/timeendpos" rel="alternate"/>
</entry>
<entry>
<title>timestartpos</title>
<id>/servicesNS/admin/search/search/fields/timestartpos</id>
<updated>2011-07-11T10:04:51-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/timestartpos" rel="alternate"/>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/sourcetype
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>sourcetype</title>
<id>/servicesNS/admin/search/search/fields/sourcetype</id>
<updated>2011-07-11T10:08:54-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/sourcetype" rel="alternate"/>
<content type="text"> Attr:INDEXED True
Attr:INDEXED_VALUE False
Attr:TOKENIZER
</content>
</entry>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
<title>Tags for the host field</title>
<id>/servicesNS/admin/search/search/fields/host/tags</id>
<updated>2011-07-11T10:41:46-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>location::sfo</title>
<id>/servicesNS/admin/search/search/fields/host/tags#location::sfo</id>
<updated>2011-07-11T10:41:46-07:00</updated>
<link href="/servicesNS/admin/search/search/fields/host/tags#location::sfo" rel="alternate"/>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/fields/host/tags -d add=sfo -d delete=nyc -d value=location
<response>
<messages>
<msg type='INFO'>Successfully processed adds/deletes for field host</msg>
</messages>
</response>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Tags</title>
<id>/servicesNS/admin/search/search/tags</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>machine</title>
<id>/servicesNS/admin/search/search/tags/machine</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/machine" rel="alternate"/>
</entry>
<entry>
<title>user</title>
<id>/servicesNS/admin/search/search/tags/user</id>
<updated>2011-07-08T01:35:09-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/user" rel="alternate"/>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/search/tags/user
<response>
<messages>
<msg type="INFO">Tag successfully deleted</msg>
</messages>
</response>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>Field::Value pairs with tag user</title>
<id>/servicesNS/admin/search/search/tags/user</id>
<updated>2011-07-08T01:35:28-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<entry>
<title>eventtype::userupdate</title>
<id>/servicesNS/admin/search/search/tags/user#eventtype::userupdate</id>
<updated>2011-07-08T01:35:28-07:00</updated>
<link href="/servicesNS/admin/search/search/tags/user#eventtype::userupdate" rel="alternate"/>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/tags/user -d add=eventtype::userupdate -d delete=eventtype::useradd-suse
<response>
<messages>
<msg type="INFO">Processed adds/deletes for tag</msg>
</messages>
</response>
curl -k -u admin:pass https://localhost:8089/services/admin/summarization/?by_tstats=1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>summarization</title>
<id>https://localhost:8089/services/admin/summarization</id>
<updated>2015-06-01T15:21:20-07:00</updated>
<generator build="e343948e242181aa7b94257ede83830605c853d9" version="20150526"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/admin/summarization/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>tstats:DM_search_mydatamodel</title>
<id>https://localhost:8089/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel</id>
<updated>2015-06-01T15:21:20-07:00</updated>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="list"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel" rel="remove"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/details" rel="details"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/reschedule" rel="reschedule"/>
<link href="/servicesNS/nobody/search/admin/summarization/tstats%3ADM_search_mydatamodel/touch" rel="touch"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">search</s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms"/>
<s:key name="removable">0</s:key>
<s:key name="sharing">user</s:key>
</s:dict>
</s:key>
<s:key name="search"><![CDATA[search search (index=* OR index=_*) (index=_internal) | eval nodename = "rootevent"| eval is_Age=if(searchmatch("(avg_age)"),1,0), is_not_Age=1-is_Age | eval nodename = if(nodename == "rootevent" AND searchmatch("(avg_age)"), mvappend(nodename, "rootevent.Age"), nodename) | rename abandoned_channels AS rootevent.abandoned_channels average_kbps AS rootevent.average_kbps avg_age AS rootevent.avg_age bytes AS rootevent.bytes clientip AS rootevent.clientip color AS rootevent.color component AS rootevent.component cookie AS rootevent.cookie cpu_seconds AS rootevent.cpu_seconds cumulative_hits AS rootevent.cumulative_hits current_queue_size AS rootevent.current_queue_size current_size AS rootevent.current_size current_size_kb AS rootevent.current_size_kb date_hour AS rootevent.date_hour is_Age AS rootevent.is_Age is_not_Age AS rootevent.is_not_Age | fields nodename, _time, host, source, sourcetype, rootevent.abandoned_channels, rootevent.average_kbps, rootevent.avg_age, rootevent.bytes, rootevent.clientip, rootevent.color, rootevent.component, rootevent.cookie, rootevent.cpu_seconds, rootevent.cumulative_hits, rootevent.current_queue_size, rootevent.current_size, rootevent.current_size_kb, rootevent.date_hour, rootevent.is_Age, rootevent.is_not_Age]]></s:key>
<s:key name="summary.access_count">0</s:key>
<s:key name="summary.access_time">0</s:key>
<s:key name="summary.buckets">22</s:key>
<s:key name="summary.buckets_size">273</s:key>
<s:key name="summary.complete">1.000000</s:key>
<s:key name="summary.earliest_time">1432174156</s:key>
<s:key name="summary.id">DM_search_mydatamodel</s:key>
<s:key name="summary.is_inprogress">0</s:key>
<s:key name="summary.last_error"></s:key>
<s:key name="summary.last_sid">scheduler__nobody__search__RMD5692d85674596d683_at_1433197200_18815</s:key>
<s:key name="summary.latest_time">1432684089</s:key>
<s:key name="summary.mod_time">1433196908</s:key>
<s:key name="summary.size">61153280</s:key>
<s:key name="summary.time_range">604800</s:key>
</s:dict>
</content>
</entry>
</feed>
This introduction describes syntax common to all App KV Store REST endpoints. For a description of how to use the App KV Store REST API, see App Key Value Store.
App KV store provides:
A Collection is a container of "documents" or "values". Most documents have a similar structure, although structure is not enforced. For example, a Collection might have Notable Events or entities.
Collections are declared in a collections.conf configuration file, where a stanza is a single collection.
Collections are Splunk Enterprise entities, which means they are permissioned using the Splunk Enterprise RBAC/ACL system. One reason of exposing Collections as entities is to ensure they are properly managed by Splunk Enterprise. But, the implementation permits only app-level collections. This means that collections can be defined only in the etc/apps/<app>/<default|local> directory, not in etc/users/.... Attempts to create a user-specific Collection using the API fail and Collections created manually in the .conf files are ignored.
A collection stores key-value pairs consisting of a user-specified or autogenerated key and a JSON document-formatted value. A JSON document/object of values is enforced for simplicity instead of using integer or string raw values. For example, {"_key": "10.0.0.1", host: "bar.com"} defines the key ("10.0.0.1") and the full JSON document value.
A key is fetched, updated, and deleted. Partial updates, including array append, are prohibited. You must set the whole document. Keys are unique within a collection and support only the basic JSON data types: boolean, string, number, object, array, and null.
A value is specified in the _key attribute of the document and, if one is not specified, a random value with a desirable sort order is automatically generated.
A collection defined at:
/servicesNS/nobody/search/storage/mycollection
can have operations performed on it using the following URLs:
/servicesNS/nobody/search/storage/mycollection /servicesNS/itay/search/storage/mycollection /servicesNS/mark/search/storage/mycollection
Namespaces are separate, and data are not interleaved. Wildcard operations on the <user> or <app> parts of the namespace are prohibited.
User-specific collections are not supported so all users, including nobody, share a single namespace and _key is unique across all namespaces.
Defining a set of types for some fields in a collection is provided. If a field has no type defined, it uses the type submitted over the API. If a type conversion fails, the insert/update operation is aborted. For example, if the collections.conf file has the following collection,
[mycollection]
field.enabled = bool
field.data.range = cidr
the data inserted or updated in the collection have the fields enabled and range-converted to the applicable type:
* array
* number
* boolean
* time
* string
* cidr
Items need to specified using the field prefix only if type needs to be enforced for the field. The array type is not enforceable so does not need to be specified.
Arrays do not change a nested key name. For example, the key "a.b.c" can refer to {"a": {"b": {"c": 1}}} or {"a": {"b": [{"c": 1}]}}.
All strings/numbers/booleans are converted to doubles. If a number fails to convert, it inserts the string instead. Booleans All numbers/strings/booleans are converted to booleans. If a boolean fails to convert, it inserts the string instead. Epoch time can be a string or as a number. If it fails to convert, the string version is inserted.
Everything is converted to a string.
All provided strings are converted to canonical CIDR strings. For example:
127.0.0.1 -> 127.000.000.001/32
127.0.0.0/24 -> 127.000.000.000/24
127.0.0/24 -> 127.000.000.000/24
with similar canonicalization for IPv6:
2001:db8::/96 -> 2001:0db8:0000:0000:0000:0000:0000:0000/096
2001:db8:0:0:0:0:0:ffff -> 2001:0db8:0000:0000:0000:0000:0000:ffff/128
Combining the Data and Index patterns, gives the ability to do basic querying. Queries are limited to the basic operators available in most databases, and at the moment do not expose in-array and not-in-array containers. A query may have the following operators:
Queries are permitted whether or not an index covers the query. If it the index does not cover the query, the query takes longer. For example, a query to find all Notable Events authored by userA or userB might look like:
{ $or: [ { author: "userA" }, { author: "userB" } ] }
The REST API for App KV Store implements the GET, PUT, POST, and DELETE methods described in this reference.
The PUT and POST methods are interchangeable, having identical behavior.
https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/config
Authentication: Required
Create or list connections.
| Method | Description | Formats |
|---|---|---|
| GET | List all collections. | XML, JSON |
| PUT, POST | Create a new collection. | XML, JSON |
storage/collections/config method detailNone
| Name | Description |
|---|---|
| disabled | Collection state: true = disabled. false = [Default] enabled. |
| profilingEnabled | Profiling status of slow-running operations: true = Profiling enabled. false = (Default) Profiling disabled. |
| profilingThresholdMs | Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true. |
storage/collections/config method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | Collection name. | |
| profilingEnabled | Boolean | A collections.conf file property. Affects profilingThresholdMs. Enable profiling of slow-running operations: true = Enable profiling. false = (Default) Disable profiling. | |
| profilingThresholdMs | Number | Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true. This can have a performance impact on the collection. 0 = Log all slow-running operations. Default = 100. |
| Name | Description |
|---|---|
| disabled | Collection state: true = disabled. false = [Default] enabled. |
| profilingEnabled | Profiling status of slow-running operations, affecting profilingThresholdMs: true = Profiling enabled. false = (Default) Profiling disabled. |
| profilingThresholdMs | Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true. |
[ Top ]
https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/config/{collection}
Authentication: Required
Manage a specific collection.
| Method | Description | Formats |
|---|---|---|
| DELETE | Drop the {collection} collection. | XML, JSON |
| GET | Get {collection} collection information. | XML, JSON |
| POST | Update the {collection} collection. | XML, JSON |
storage/collections/config/{collection} method detailNone
None
storage/collections/config/{collection} method detailNone
| Name | Description |
|---|---|
| disabled | Collection state: true = disabled. false = [Default] enabled. |
| field.<fieldType> | Field type for field <fieldType>. One of: array number bool string cidr time |
| index.<indexName> | Index definition named <indexName>. |
| profilingEnabled | Profiling status of slow-running operations, affecting profilingThresholdMs: true = Profiling enabled. false = (Default) Profiling disabled. |
| profilingThresholdMs | Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true. |
storage/collections/config/{collection} method detail| Name | Type | Default | Description |
|---|---|---|---|
| field.<fieldType> | String | Field type for field <fieldType>. One of: array number bool string cidr time | |
| index.<indexName> | String | Index definition named <indexName>. |
| Name | Description |
|---|---|
| disabled | Collection state: true = disabled. false = [Default] enabled. |
| field.<fieldType> | Field type for field <fieldType>. One of: array number bool string cidr time |
| index.<indexName> | Index definition named <indexName>. |
| profilingEnabled | Profiling status of slow-running operations, affecting profilingThresholdMs: true = Profiling enabled. false = (Default) Profiling disabled. |
| profilingThresholdMs | Threshold for logging slow-running operations, in milliseconds. Applies only if profilingEnabled = true. |
[ Top ]
https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/data/{collection}
Authentication: Required
Manage items of a collection.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete item(s) in the {collection} collection. | XML, JSON |
| GET | Get items in the {collection} collection. | XML, JSON |
| PUT, POST | Insert an item in the {collection} collection. | JSON |
storage/collections/data/{collection} method detailNone
The request deletes entries matching the query. If no query is provided, all entries in the collection are deleted.
storage/collections/data/{collection} method detail| Name | Type | Default | Description |
|---|---|---|---|
| fields | String | Comma-separated list of fields to include (1) or exclude (0). A fields value cannot contain both include and exclude specifications except for exclusion of the _id field. Examples:fields=firstname,surname (Include only firstname, surname, and _id fields)fields=firstname,surname,_id:0 (Include only the firstname and surname fields.fields=address:0 (Include all fields except the address field)
| |
| limit | Number | Maximum number of items to return. Example:limit=5 (Return five items)
| |
| skip | Number | Number of items to skip from the start. Example:skip=10 (Skip first 10 items)
| |
| sort | String | Sort order. Examples:sort=surname (Sort by surname, ascending)sort=surname,firstname</<code> (Sort by <code>surname, ascending, after firstname, ascending)sort=surname:-1,firstname:1 (Sort by surname, descending, after firstname, ascendingsort=surname:1,firstname<code> (Sort by <code>surname, ascending, after firstname, ascending
| |
| query | JSON object | Query JSON object. Conditional operators: $gt, $gte, $lt, $lte, and $neLogical operators: $and, $or, and ,$not (invert conditional operators)Examples: query={"title":"Item"} (Select all documents with property title that has value Item)query={"price":{"$gt":5}} (Select all documents with price greater than 5)
|
JSON document. Example:
[ { <span style="color: #008000; font-weight: bold">"myKey"</span> : <span style="color: #BA2121">"abc"</span>, <span style="color: #008000; font-weight: bold">"_user"</span> : <span style="color: #BA2121">"nobody"</span>, <span style="color: #008000; font-weight: bold">"_key"</span> : <span style="color: #BA2121">"5410be5441ba15298e4624d1"</span> } ]
Parameter order does not matter. Parameters are always applied in the order of sort, skip, and limit.
storage/collections/data/{collection} method detailJSON-formatted document.
Example:
{ "name": "A" }
JSON-formatted document ID.
Example:
{
"_id": "530bc62fc9a6577fdf13651f"
}
The Content-Type header must be application/json.
The _id is autogenerated, if not manually specified.
[ Top ]
https://<host>:<mPort>/servicesNS/{owner}/{app}/storage/collections/data/{collection}/{key}
Authentication: Required
Manage a specific item of a collection.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete item {key} in {collection}. | XML, JSON |
| GET | Get item in {collection} by {key} | XML, JSON |
| PUT, POST | Update the {key} item in {collection}. | JSON |
storage/collections/data/{collection}/{key} method detailNone
None
storage/collections/data/{collection}/{key} method detailNone
JSON-formatted {key} document.
Example:
{"myKey" : "abc", "myOtherKey" : "uvwxyz", "_user" : "nobody", "_key" : "5410c8dc41ba15298e4624d5"}
storage/collections/data/{collection}/{key} method detailJSON-formatted document for {key}.
Example:
{ "myKey": "fizz"}
JSON-formatted {key}.
Example:
{"_key":"5410c8dc41ba15298e4624d5"}
The header Content-Type must be application/json.
[ Top ]
https://<host>:<mPort>/servicesNS/storage/collections/data/{collection}/batch_save
Authentication: Required
Perform multiple save operations.
| Method | Description | Formats |
|---|---|---|
| POST | Perform multiple save operations. | JSON |
storage/collections/data/{collection}/batch_save method detailJSON array of documents to save.
JSON-formatted list of keys added.
Example:
[ "5410c43241ba15298e4624d3", "5418c54e41ba152267763c01" ]
Header Content-Type must be application/json.
If a document does not have an _key field or store does not have a matching document ID, an _key new document is created.
If an operation fails, the server stops batch processing and returns an HTTP status code other than 200:
[ Top ]
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:28:27-07:00</updated> <generator build="229629" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/>
<link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>kvstoredemo</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/kvstoredemo</id>
<updated>2014-09-02T11:28:27-07:00</updated>
<link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="list"/>
<link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo" rel="remove"/>
<link href="/servicesNS/nobody/search/storage/collections/config/kvstoredemo/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="profilingEnabled">false</s:key>
<s:key name="profilingThresholdMs">100</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>test</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test</id>
<updated>2014-09-02T11:28:27-07:00</updated>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="list"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="remove"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="profilingEnabled">false</s:key>
<s:key name="profilingThresholdMs">100</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme -d name=test1 http://localhost:8089/servicesNS/nobody/search/storage/collections/config
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:25:32-07:00</updated> <generator build="229629" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/>
<link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>test1</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test1</id>
<updated>2014-09-02T11:25:32-07:00</updated>
<link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="list"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test1/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test1" rel="remove"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test1/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="profilingEnabled">false</s:key>
<s:key name="profilingThresholdMs">100</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test -X DELETE
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>collections-conf</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id>
<updated>2014-06-02T20:08:11-07:00</updated>
<generator build="210538" version="20140530"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/>
<link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/collections/config/test
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"> <title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:42:54-07:00</updated> <generator build="229629" version="6.2"/>
<author>
<name>Splunk</name>
</author> <link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/> <link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/> ... opensearch nodes elided ... <s:messages/> <entry>
<title>test</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test</id>
<updated>2014-09-02T11:42:54-07:00</updated>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="list"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="remove"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes"> ... elided ... </s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="profilingEnabled">false</s:key>
<s:key name="profilingThresholdMs">100</s:key>
</s:dict>
</content>
</entry> </feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test -d 'index.foo={"a": 1}' -d 'index.bar={"b": -1}' -d "field.a=number" -d "field.b=cidr"
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>collections-conf</title> <id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config</id> <updated>2014-09-02T11:50:57-07:00</updated> <generator build="229629" version="6.2"/>
<author>
<name>Splunk</name>
</author> <link href="/servicesNS/nobody/search/storage/collections/config/_new" rel="create"/> <link href="/servicesNS/nobody/search/storage/collections/config/_reload" rel="_reload"/> ... opensearch nodes elided ... <s:messages/> <entry>
<title>test</title>
<id>https://localhost:8089/servicesNS/nobody/search/storage/collections/config/test</id>
<updated>2014-09-02T11:50:57-07:00</updated>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="list"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="edit"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test" rel="remove"/>
<link href="/servicesNS/nobody/search/storage/collections/config/test/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">nobody</s:key>
<s:key name="index.foo">{"a": 1}
index.bar={"b": -1} field.a=number field.b=cidr</s:key>
<s:key name="profilingEnabled">false</s:key>
<s:key name="profilingThresholdMs">100</s:key>
</s:dict>
</content>
</entry> </feed>
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA -X DELETE
None
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA
[ { "myKey" : "abc", "_user" : "nobody", "_key" : "5410be5441ba15298e4624d1" } ]
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA -H "Content-Type: application/json" -d '{ "myKey": "abc", "myOtherKey": "abcdef"}'
{"_key":"5410be5441ba15298e4624d1"}
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/collections/data/testCollectionA/5410caf041ba15298e4624d6 -X DELETE
None
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/collections/data/testCollectionA/5410c8dc41ba15298e4624d5
{ "myKey" : "abc", "myOtherKey" : "uvwxyz", "_user" : "nobody", "_key" : "5410c8dc41ba15298e4624d5" }
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA/5410c8dc41ba15298e4624d5 -H "Content-Type: application/json" -d '{ "myKey": "fizz"}'
{"_key":"5410c8dc41ba15298e4624d5"}
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/collections/data/testCollectionA/batch_save -H "Content-Type: application/json" -d '[{ "_key": "5410c43241ba15298e4624d3", "name": "AAAAAAAA" },{ "name": "A" }]}'
[ "5410c43241ba15298e4624d3", "5418c54e41ba152267763c01" ]
| This page is currently a work in progress; expect frequent near-term updates. |
Manage licensing configurations.
https://<host>:<mPort>/services/licenser/groups
Authentication: Not required
Provides access to the configuration of licenser groups.
A licenser group contains one or more licenser stacks that can operate concurrently. Only one licenser group is active at any given time.
| Method | Description | Formats |
|---|---|---|
| GET | Lists all licenser groups. | XML, JSON |
licenser/groups method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| is_active | Indicates if the license group is active. |
| stack_ids | The license stacks in the license group. |
[ Top ]
https://<host>:<mPort>/services/licenser/groups/{name}
Authentication: Not required
Manage the {name} licenser group.
| Method | Description | Formats |
|---|---|---|
| GET | Lists a specific licenser group. | XML, JSON |
| POST | Activates specific licenser group with the side effect of deactivating the previously active one. | XML, JSON |
licenser/groups/{name} method detailNone
| Name | Description |
|---|---|
| is_active | Indicates if the license group is active. |
| stack_ids | The license stacks in the license group. |
A licenser group contains one or more licenser stacks that can operate concurrently. Only one licenser group is active at any given time.
licenser/groups/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| is_active required | Boolean | Active specific licenser group |
None
There can only be a single active licenser group for a given instance of Splunk. Use this to switch between, for example, free to enterprise, or download-trial to free.
[ Top ]
https://<host>:<mPort>/services/licenser/licenses
Authentication: Not required
Provides access to the licenses for this Splunk Enterprise instance.
A license enables various features for a splunk instance, including but not limitted to indexing quota, auth, search, forwarding, and so forth.
| Method | Description | Formats |
|---|---|---|
| GET | Lists all licenses added. | XML, JSON |
| POST | Add a license entitlement to this instance. | XML, JSON |
licenser/licenses method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| creation_time | The creation time of this license, in Coordinated Universal Time (UTC). |
| expiration_time | The time this license expires, in Coordinated Universal Time (UTC). |
| features | The list of features and components enabled by this license. |
| group_id | The ID of the group to which this license belongs. |
| label | Plain text description of this license. |
| license_hash | Unique identifier for the license.
The REST API uses this identifier to access this license. |
| max_violations | The maximum number of violations allowed during the specified window period (window_period.
Searching is disabled when |
| quota | Daily indexing quota, in bytes, for this license. |
| sourcetypes | The list of allowed sourcetypes for this list. You cannot use this license to index sourcetypes that are not present in this list.
An empty list indicates all sourcetypes are allowed. |
| stack_id | The ID of the license stack to which this license belongs. |
| status | The status of a license can be either VALID or EXPIRED. |
| type | Provides any additional information about the type of this license. |
| window_period | The rolling period, in days, in which violations are aggregated. |
Only a subset of these licenses may be active however, this is simply listing all licenses in every stack/group, regardless of which group is active.
licenser/licenses method detail| Name | Type | Default | Description |
|---|---|---|---|
| name required | string | Path to license file on server. If the payload parameter is specified, the name parameter is ignored. | |
| payload | string | String representation of license, encoded in xml |
| Name | Description |
|---|---|
| creation_time | The creation time of this license, in Coordinated Universal Time (UTC). |
| expiration_time | The time this license expires, in Coordinated Universal Time (UTC). |
| features | The list of features and components enabled by this license. |
| group_id | The ID of the group to which this license belongs. |
| label | Plain text description of this license. |
| license_hash | Unique identifier for the license.
The REST API uses this identifier to access this license. |
| max_violations | The maximum number of violations allowed during the specified window period (window_period.
Searching is disabled when |
| payload | String representation of license, encoded in xml. |
| quota | Daily indexing quota, in bytes, for this license. |
| sourcetypes | The list of allowed sourcetypes for this list. You cannot use this license to index sourcetypes that are not present in this list.
An empty list indicates all sourcetypes are allowed. |
| stack_id | The ID of the license stack to which this license belongs. |
| status | The status of a license can be either VALID or EXPIRED. |
| type | Provides any additional information about the type of this license. |
| window_period | The rolling period, in days, in which violations are aggregated. |
[ Top ]
https://<host>:<mPort>/services/licenser/licenses/{name}
Authentication: Not required
Manage the {name} license.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the license with hash corresponding to {name}. | XML, JSON |
| GET | List attributes of specific license. | XML, JSON |
licenser/licenses/{name} method detailNone
None
You cannot delete the last license out of an active group. First, deactivate the group (by switching to another group) and then perform the delete.
licenser/licenses/{name} method detailNone
| Name | Description |
|---|---|
| creation_time | The creation time of this license, in Coordinated Universal Time (UTC). |
| expiration_time | The time this license expires, in Coordinated Universal Time (UTC). |
| features | The list of features and components enabled by this license. |
| group_id | The ID of the group to which this license belongs. |
| label | Plain text description of this license. |
| license_hash | Unique identifier for the license.
The REST API uses this identifier to access this license. |
| max_violations | The maximum number of violations allowed during the specified window period (window_period.
Searching is disabled when |
| quota | Daily indexing quota, in bytes, for this license. |
| sourcetypes | The list of allowed sourcetypes for this list. You cannot use this license to index sourcetypes that are not present in this list.
An empty list indicates all sourcetypes are allowed. |
| stack_id | The ID of the license stack to which this license belongs. |
| status | The status of a license can be either VALID or EXPIRED. |
| type | Provides any additional information about the type of this license. |
| window_period | The rolling period, in days, in which violations are aggregated. |
The {name} portion of URL is actually the hash of the license payload.
[ Top ]
https://<host>:<mPort>/services/licenser/localslave
Authentication: Required
Get information about relevant license state for the splunk instance.
| Method | Description | Formats |
|---|---|---|
| GET | Get information about relevant license state for the splunk instance | XML, JSON |
licenser/localslave method detailNone
| Name | Description |
|---|---|
| add_ons | List of add-ons resident on this instance, and add-on parameters. |
| connection_timeout | Instance connection timeout (seconds). |
| features | List of key-value pairs of the following features and their ENABLED/DISABLED status:
|
| last_master_contact_attempt_time | Time of last attempt to contact master. |
| last_master_contact_success_time | Time of last successful attempt to contact master. |
| last_trackerdb_service_time | Time of last license servicing, tracking persistent store. |
| license_keys | List of license keys this instance is using. |
| master_guid | Master license GUID. |
| master_uri | Master license URI. |
| receive_timeout | Network layer receive timeout for communication to master (seconds). |
| send_timeout | Network layer send timeout for communication to master (seconds). |
| slave_id | This instance GUID. |
| slave_label | This instance server name. |
| squash_threshold | Threshold that enables source/host squashing of rows of usage data sent to master periodically. |
[ Top ]
https://<host>:<mPort>/services/licenser/messages
Authentication: Not required
Provides access to licenser messages.
Messages may range from helpful warnings about being close to violations, licenses expiring or more severe alerts regarding overages and exceeding license warning window.
| Method | Description | Formats |
|---|---|---|
| GET | Lists all messages/alerts/persisted warnings for this node. | XML, JSON |
licenser/messages method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| category | Indicates the category for the licenser message. The category can be any of the following:
license_window pool_over_quota stack_over_quota orphan_slave pool_warning_count pool_violated_slave_count |
| create_time | The time the message was created in the system, expressed in Coordinated Universal time (UTC). |
| description | The actual licenser message that is displayed. |
| pool_id | The ID of the licesne pool to which the message applies.
If a pool ID is not present, then the message in not applicable to a specific license pool. |
| severity | Indicates the severity of the message. The severity can be any of the following:
INFO WARN ERROR |
| slave_id | The ID of the license slave to which the message applies. |
| stack_id | The ID of the license stack to which the message applies.
If a stack ID is not present, thae the message is not applicable to a specific license stack. |
[ Top ]
https://<host>:<mPort>/services/licenser/messages/{name}
Authentication: Not required
Get the message with message ID {name}.
| Method | Description | Formats |
|---|---|---|
| GET | List specific message whose msgId corresponds to {name} component. | XML, JSON |
licenser/messages/{name} method detailNone
| Name | Description |
|---|---|
| category | Indicates the category for the licenser message. The category can be any of the following:
license_window pool_over_quota stack_over_quota orphan_slave pool_warning_count pool_violated_slave_count |
| create_time | The time the message was created in the system, expressed in Coordinated Universal time (UTC). |
| description | The actual licenser message that is displayed. |
| pool_id | The ID of the licesne pool to which the message applies.
If a pool ID is not present, then the message in not applicable to a specific license pool. |
| severity | Indicates the severity of the message. The severity can be any of the following:
INFO WARN ERROR |
| slave_id | The ID of the license slave to which the message applies. |
| stack_id | The ID of the license stack to which the message applies.
If a stack ID is not present, thae the message is not applicable to a specific license stack. |
[ Top ]
https://<host>:<mPort>/services/licenser/pools
Authentication: Not required
Provides access to the licenser pools configuration.
A pool logically partitions the daily volume entitlements of a stack. You can use a license pool to divide license privileges amongst multiple slaves.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerates all pools. | XML, JSON |
| POST | Create a license pool. | XML, JSON |
licenser/pools method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| description | Description of the license pool. |
| quota | The byte quota of this license pool.
MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack. Number: the number of bytes allowed by this license. |
| slaves | slaveids that are members of this pool.
Returned as a list in Atom format. See example below. |
| slaves_usage_bytes | Usage, in bytes, of slaves to this license. |
| stack_id | Stack ID of the stack corresponding to this pool. |
| used_bytes | Usage, in bytes, for this license pool. |
licenser/pools method detail| description | String | Description of this pool | |
| Name | Type | Default | Description |
|---|---|---|---|
| name required | String | The name of the license pool you are creating. | |
| quota required | String | Defines the byte quota of this pool.
Valid values: MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack. Number[MB|GB]: Specify a specific size. For example, 552428800, or simply specify 50MB. | |
| slaves | String | Comma-separated list of slaveids that are members of this pool, or '*' to accept all slaves.
You can also specify a comma-separated list of guids to specify slaves that can connect to this pool. | |
| stack_id required | Enum | Valid values: (download-trial | Enterprise | Forwarder | Free | Lite | Lite_Free)
Stack ID of the stack corresponding to this pool |
None
[ Top ]
https://<host>:<mPort>/services/licenser/pools/{name}
Authentication: Not required
Manage the {name} license pool.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete specified pool. | XML, JSON |
| GET | Lists details of the pool specified by {name}. | XML, JSON |
| POST | Edit properties of the pool specified by {name}. | XML, JSON |
licenser/pools/{name} method detailNone
None
Deleting pools is not supported for every pool. Certain stacks have fixed pools which cannot be deleted.
licenser/pools/{name} method detailNone
| Name | Description |
|---|---|
| description | Description of the license pool. |
| quota | The byte quota of this license pool.
MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack. Number: the number of bytes allowed by this license. |
| slaves | slaveids that are members of this pool.
Returned as a list in Atom format. See example below. |
| slaves_usage_bytes | Usage, in bytes, of slaves to this license. |
| stack_id | Stack ID of the stack corresponding to this pool. |
| used_bytes | Usage, in bytes, for this license pool. |
licenser/pools/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| append_slaves | Boolean | Flag which controls whether newly specified slaves is appended to existing slaves list or overwritten | |
| description | String | Description of this pool | |
| quota | String | Defines the byte quota of this pool.
Valid values: MAX: maximum amount allowed by the license. You can only have one pool with MAX size in a stack. Number[MB|GB]: Specify a specific size. For example, 552428800, or simply specify 50MB. | |
| slaves | String | Comma-separated list of slaveids that are members of this pool, or '*' to accept all slaves.
You can also specify a comma-separated list of guids to specify slaves that can connect to this pool. |
None
[ Top ]
https://<host>:<mPort>/services/licenser/slaves
Authentication: Not required
Provides access to slaves reporting to this license master.
| Method | Description | Formats |
|---|---|---|
| GET | List all slaves registered to this license master. | XML, JSON |
licenser/slaves method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| label | Plain text name for the license slave. |
| pool_ids | License pools for which this license slave is a member. |
| stack_ids | License stacks for which this license slave is a member. |
| warning_count | Number of license warnings issued for this license slave. |
Any slave that attempts to connect to master is reported, regardless of whether it is allocated to a master licenser pool.
[ Top ]
https://<host>:<mPort>/services/licenser/slaves/{name}
Authentication: Not required
Get {name} licenser slave license information.
| Method | Description | Formats |
|---|---|---|
| GET | List attributes of slave specified by {name}. | XML, JSON |
licenser/slaves/{name} method detailNone
| Name | Description |
|---|---|
| label | Plain text name for the license slave. |
| pool_ids | License pools for which this license slave is a member. |
| stack_ids | License stacks for which this license slave is a member. |
| warning_count | Number of license warnings issued for this license slave. |
[ Top ]
https://<host>:<mPort>/services/licenser/stacks
Authentication: Not required
Provides access to the license stack configuration.
A license stack is comprised of one or more licenses of the same "type". The daily indexing quota of a license stack is additive, so a stack represents the aggregate entitlement for a collection of licenses.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate all license stacks. | XML, JSON |
licenser/stacks method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| label | The name of this license stack. |
| quota | The byte quota of this license stack. This value is the sum of the byte quota for all the licenses in the license stack. |
| type | Any additional information about the type of this license stack. |
[ Top ]
https://<host>:<mPort>/services/licenser/stacks/{name}
Authentication: Not required
Get {name} license stack information.
| Method | Description | Formats |
|---|---|---|
| GET | Retrieve details of specific license stacks. | XML, JSON |
licenser/stacks/{name} method detailNone
| Name | Description |
|---|---|
| label | The name of this license stack. |
| quota | The byte quota of this license stack. This value is the sum of the byte quota for all the licenses in the license stack. |
| type | Any additional information about the type of this license stack. |
A license stack is comprised of one or more licenses of the same "type". The daily indexing quota of a license stack is additive, so a stack represents the aggregate entitlement for a collection of licenses.
[ Top ]
https://<host>:<mPort>/services/licenser/usage
Authentication: Required
Provides current license usage stats from the last minute.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate license usage information from the last minute. | XML, JSON |
licenser/usage method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| quota | The byte quota of this license stack. This value is the sum of the byte quota for all the licenses in the active license group. |
| slaves_usage_bytes | Slave usage bytes across all pools that are within the active license group. |
[ Top ]
[ Top ]
curl -k -u admin:pass https://localhost:8089/services/licenser/groups
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>groups</title>
<id>https://localhost:8089/services/licenser/groups</id>
<updated>2011-07-11T09:45:35-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Enterprise</title>
<id>https://localhost:8089/services/licenser/groups/Enterprise</id>
<updated>2011-07-11T09:45:35-07:00</updated>
<link href="/services/licenser/groups/Enterprise" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/groups/Enterprise" rel="list"/>
<link href="/services/licenser/groups/Enterprise" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="is_active">1</s:key>
<s:key name="stack_ids">
<s:list>
<s:item>enterprise</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/groups/Forwarder
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>groups</title>
<id>https://localhost:8089/services/licenser/groups</id>
<updated>2011-07-11T09:47:18-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>Forwarder</title>
<id>https://localhost:8089/services/licenser/groups/Forwarder</id>
<updated>2011-07-11T09:47:18-07:00</updated>
<link href="/services/licenser/groups/Forwarder" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/groups/Forwarder" rel="list"/>
<link href="/services/licenser/groups/Forwarder" rel="edit"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>is_active</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="is_active">0</s:key>
<s:key name="stack_ids">
<s:list>
<s:item>forwarder</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/groups/Enterprise -d is_active=1
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>groups</title>
<id>https://localhost:8089/services/licenser/groups</id>
<updated>2011-07-11T09:55:02-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/licenses
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>licenses</title>
<id>https://localhost:8089/services/licenser/licenses</id>
<updated>2011-07-11T09:30:33-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/licenses/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>E08B ... elided ...FA75BF</title>
<id>https://localhost:8089/services/licenser/licenses/E08B ... elided ...FA75BF</id>
<updated>2011-07-11T09:30:33-07:00</updated>
<link href="/services/licenser/licenses/E08B ... elided ...FA75BF" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/licenses/E08B ... elided ...FA75BF" rel="list"/>
<link href="/services/licenser/licenses/E08B ... elided ...FA75BF" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="creation_time">1309852804</s:key>
... eai:acl node elided ...
<s:key name="expiration_time">1315641604</s:key>
<s:key name="features">
<s:list>
<s:item>Auth</s:item>
<s:item>FwdData</s:item>
<s:item>RcvData</s:item>
<s:item>LocalSearch</s:item>
<s:item>DistSearch</s:item>
<s:item>RcvSearch</s:item>
<s:item>ScheduledSearch</s:item>
<s:item>Alerting</s:item>
<s:item>DeployClient</s:item>
<s:item>DeployServer</s:item>
<s:item>SplunkWeb</s:item>
<s:item>SigningProcessor</s:item>
<s:item>SyslogOutputProcessor</s:item>
<s:item>AllowDuplicateKeys</s:item>
</s:list>
</s:key>
<s:key name="group_id">Trial</s:key>
<s:key name="label">Splunk Enterprise Download Trial</s:key>
<s:key name="license_hash">E08B ... elided ...FA75BF</s:key>
<s:key name="max_violations">5</s:key>
<s:key name="quota">524288000</s:key>
<s:key name="sourcetypes">
<s:list/>
</s:key>
<s:key name="stack_id">download-trial</s:key>
<s:key name="status">VALID</s:key>
<s:key name="type">download-trial</s:key>
<s:key name="window_period">30</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/licenses -d name=/Users/myusername/downloads/Splunk_enterprise.lic
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>licenses</title>
<id>https://localhost:8089/services/licenser/licenses</id>
<updated>2011-07-11T09:41:32-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/licenses/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>CF6C50 ... elided ...72CE6C</title>
<id>https://localhost:8089/services/licenser/licenses/CF6C50 ... elided ...72CE6C</id>
<updated>2011-07-11T09:41:32-07:00</updated>
<link href="/services/licenser/licenses/CF6C50 ... elided ...72CE6C" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/licenses/CF6C50 ... elided ...72CE6C" rel="list"/>
<link href="/services/licenser/licenses/CF6C50 ... elided ...72CE6C" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="creation_time">1306168427</s:key>
... eai:acl node elided ...
<s:key name="expiration_time">2147483647</s:key>
<s:key name="features">
<s:list>
<s:item>Auth</s:item>
<s:item>FwdData</s:item>
<s:item>RcvData</s:item>
<s:item>LocalSearch</s:item>
<s:item>DistSearch</s:item>
<s:item>RcvSearch</s:item>
<s:item>ScheduledSearch</s:item>
<s:item>Alerting</s:item>
<s:item>DeployClient</s:item>
<s:item>DeployServer</s:item>
<s:item>SplunkWeb</s:item>
<s:item>SigningProcessor</s:item>
<s:item>SyslogOutputProcessor</s:item>
<s:item>CanBeRemoteMaster</s:item>
</s:list>
</s:key>
<s:key name="group_id">Enterprise</s:key>
<s:key name="label">Splunk Enterprise</s:key>
<s:key name="license_hash">CF6C50 ... elided ...72CE6C</s:key>
<s:key name="max_violations">5</s:key>
<s:key name="quota">10737418240</s:key>
<s:key name="sourcetypes">
<s:list/>
</s:key>
<s:key name="stack_id">enterprise</s:key>
<s:key name="status">VALID</s:key>
<s:key name="type">enterprise</s:key>
<s:key name="window_period">30</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/licenser/licenses/E4BF ... elided ...FC639D
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>licenses</title>
<id>https://localhost:8089/services/licenser/licenses</id>
<updated>2011-07-07T09:45:12-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/licenses/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://127.0.0.1:3339/services/licenser/licenses/E4BF ... elided ...FC639D
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>licenses</title>
<id>https://localhost:8089/services/licenser/licenses</id>
<updated>2011-07-05T15:57:08-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/licenses/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>E4BF ... elided ...FC639D</title>
<id>https://localhost:8089/services/licenser/licenses/E4BF ... elided ...FC639D</id>
<updated>2011-07-05T15:57:08-07:00</updated>
<link href="/services/licenser/licenses/E4BF ... elided ...FC639D" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/licenses/E4BF ... elided ...FC639D" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="creation_time">1300901512</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="expiration_time">1314811912</s:key>
<s:key name="features">
<s:list>
<s:item>Auth</s:item>
<s:item>FwdData</s:item>
<s:item>RcvData</s:item>
<s:item>LocalSearch</s:item>
<s:item>DistSearch</s:item>
<s:item>RcvSearch</s:item>
<s:item>ScheduledSearch</s:item>
<s:item>Alerting</s:item>
<s:item>DeployClient</s:item>
<s:item>DeployServer</s:item>
<s:item>SplunkWeb</s:item>
<s:item>SigningProcessor</s:item>
<s:item>SyslogOutputProcessor</s:item>
<s:item>AllowDuplicateKeys</s:item>
<s:item>CanBeRemoteMaster</s:item>
</s:list>
</s:key>
<s:key name="group_id">Enterprise</s:key>
<s:key name="label">Splunk Internal License</s:key>
<s:key name="license_hash">E4BF ... elided ...FC639D</s:key>
<s:key name="max_violations">5</s:key>
<s:key name="quota">10737418240</s:key>
<s:key name="sourcetypes"><s:list/></s:key>
<s:key name="stack_id">enterprise</s:key>
<s:key name="status">VALID</s:key>
<s:key name="type">enterprise</s:key>
<s:key name="window_period">30</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/localslave
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>localslave</title>
<id>https://localhost:8089/services/licenser/localslave</id>
<updated>2014-09-08T11:30:21-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>license</title>
<id>https://localhost:8089/services/licenser/localslave/license</id>
<updated>2014-09-08T11:30:21-07:00</updated>
<link href="/services/licenser/localslave/license" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/localslave/license" rel="list"/>
<link href="/services/licenser/localslave/license" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="add_ons">
<s:dict>
<s:key name="hadoop">
<s:dict>
<s:key name="parameters">
<s:dict>
<s:key name="erp_type">report</s:key>
<s:key name="maxNodes">10</s:key>
</s:dict>
</s:key>
<s:key name="type">external_results_provider</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="connection_timeout">30</s:key>
<s:key name="eai:acl"> ... elided ... </s:key>
<s:key name="features">
<s:dict>
<s:key name="Acceleration">ENABLED</s:key>
<s:key name="AdvancedSearchCommands">ENABLED</s:key>
<s:key name="AdvancedXML">ENABLED</s:key>
<s:key name="Alerting">ENABLED</s:key>
<s:key name="AllowDuplicateKeys">ENABLED</s:key>
<s:key name="Auth">ENABLED</s:key>
<s:key name="CanBeRemoteMaster">ENABLED</s:key>
<s:key name="CustomRoles">ENABLED</s:key>
<s:key name="DeployClient">ENABLED</s:key>
<s:key name="DeployServer">ENABLED</s:key>
<s:key name="DistSearch">ENABLED</s:key>
<s:key name="FwdData">ENABLED</s:key>
<s:key name="GuestPass">ENABLED</s:key>
<s:key name="KVStore">ENABLED</s:key>
<s:key name="LDAPAuth">ENABLED</s:key>
<s:key name="LocalSearch">ENABLED</s:key>
<s:key name="MultisiteClustering">ENABLED</s:key>
<s:key name="NontableLookups">ENABLED</s:key>
<s:key name="RcvData">ENABLED</s:key>
<s:key name="RcvSearch">ENABLED</s:key>
<s:key name="ResetWarnings">DISABLED_DUE_TO_LICENSE</s:key>
<s:key name="RollingWindowAlerts">ENABLED</s:key>
<s:key name="ScheduledAlerts">ENABLED</s:key>
<s:key name="ScheduledReports">ENABLED</s:key>
<s:key name="ScheduledSearch">ENABLED</s:key>
<s:key name="SearchheadPooling">ENABLED</s:key>
<s:key name="SigningProcessor">ENABLED</s:key>
<s:key name="SplunkWeb">ENABLED</s:key>
<s:key name="SyslogOutputProcessor">ENABLED</s:key>
<s:key name="UnisiteClustering">ENABLED</s:key>
</s:dict>
</s:key>
<s:key name="last_master_contact_attempt_time">1410201013</s:key>
<s:key name="last_master_contact_success_time">1410201013</s:key>
<s:key name="last_trackerdb_service_time">0</s:key>
<s:key name="license_keys">
<s:list>
<s:item>4467A79214BACAD9BB01F28193D6E15129DADC3B99D69D78884D4D68D2DDE750</s:item>
</s:list>
</s:key>
<s:key name="master_guid">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
<s:key name="master_uri">self</s:key>
<s:key name="receive_timeout">30</s:key>
<s:key name="send_timeout">30</s:key>
<s:key name="slave_id">9CBD8473-4E7D-4FF2-A042-050C5C27C298</s:key>
<s:key name="slave_label">MY MACHINE</s:key>
<s:key name="squash_threshold">2000</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/messages
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>licensermessages</title>
<id>https://localhost:8089/services/licenser/messages</id>
<updated>2011-08-02T03:50:46-07:00</updated>
<generator version="105103"/>
<author>
<name>Splunk</name>
</author>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>70a19a5cfe6d7c2a678089638dee7bea</title>
<id>https://localhost:8089/services/licenser/messages/70a19a5cfe6d7c2a678089638dee7bea</id>
<updated>2011-08-02T03:50:46-07:00</updated>
<link href="/services/licenser/messages/70a19a5cfe6d7c2a678089638dee7bea" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/messages/70a19a5cfe6d7c2a678089638dee7bea" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="category">pool_warning_count</s:key>
<s:key name="create_time">1312282230</s:key>
<s:key name="description">This pool contains slave(s) with 3 warnings</s:key>
... eai:acl node elided ...
<s:key name="pool_id"/>
<s:key name="severity">WARN</s:key>
<s:key name="slave_id"/>
<s:key name="stack_id"/>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://127.0.0.1:3339/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>licensermessages</title>
<id>https://127.0.0.1:3339/services/licenser/messages</id>
<updated>2011-05-16T21:45:17-07:00</updated>
<generator version="99678"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>2702b33a1bd369ae9209a9ecf4cb39db</title>
<id>https://127.0.0.1:3339/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db</id>
<updated>2011-05-16T21:45:17-07:00</updated>
<link href="/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/messages/2702b33a1bd369ae9209a9ecf4cb39db" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="category">license_window</s:key>
<s:key name="create_time">1305607136</s:key>
<s:key name="description">test warnings</s:key>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="pool_id"/>
<s:key name="severity">WARN</s:key>
<s:key name="slave_id"/>
<s:key name="stack_id"/>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/pools
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>pools</title>
<id>https://localhost:8089/services/licenser/pools</id>
<updated>2011-07-08T10:55:18-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/pools/_new" rel="create"/>
<link href="/services/licenser/pools/_reload" rel="_reload"/>
<opensearch:totalResults>4</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
... elided ...
<entry>
<title>auto_generated_pool_enterprise</title>
<id>https://localhost:8089/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise</id>
<updated>2011-07-08T10:55:18-07:00</updated>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="list"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="edit"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_enterprise" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="description">auto_generated_pool_enterprise</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
<s:key name="quota">MAX</s:key>
<s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
<s:key name="slaves_usage_bytes">
<s:dict><s:key name="1F3A34AE-75DA-4680-B184-5BF309843919">26445659</s:key></s:dict>
</s:key>
<s:key name="stack_id">enterprise</s:key>
<s:key name="used_bytes">26445659</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>auto_generated_pool_forwarder</title>
<id>https://localhost:8089/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder</id>
<updated>2011-07-08T10:55:18-07:00</updated>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="list"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="edit"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="description">auto_generated_pool_forwarder</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
<s:key name="quota">MAX</s:key>
<s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
<s:key name="slaves_usage_bytes"></s:key>
<s:key name="stack_id">forwarder</s:key>
<s:key name="used_bytes">0</s:key>
</s:dict>
</content>
</entry>
... elided ...
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/pools -d name=myLicensePool -d quota=MAX -d slaves=* -d stack_id=enterprise
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>pools</title>
<id>https://localhost:8089/services/licenser/pools</id>
<updated>2011-07-08T11:31:47-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/pools/_new" rel="create"/>
<link href="/services/licenser/pools/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/licenser/pools/auto_generated_pool_enterprise
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>pools</title>
<id>https://localhost:8089/services/licenser/pools</id>
<updated>2011-07-08T11:29:26-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/pools/_new" rel="create"/>
<link href="/services/licenser/pools/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/pools/auto_generated_pool_forwarder
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>pools</title>
<id>https://localhost:8089/services/licenser/pools</id>
<updated>2011-07-08T11:03:37-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/pools/_new" rel="create"/>
<link href="/services/licenser/pools/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>auto_generated_pool_forwarder</title>
<id>https://localhost:8089/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder</id>
<updated>2011-07-08T11:03:37-07:00</updated>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="list"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="edit"/>
<link href="/servicesNS/nobody/system/licenser/pools/auto_generated_pool_forwarder" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="description">auto_generated_pool_forwarder</s:key>
<s:key name="eai:acl"> ... elided ...</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>append_slaves</s:item>
<s:item>description</s:item>
<s:item>quota</s:item>
<s:item>slaves</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/></s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="quota">MAX</s:key>
<s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
<s:key name="slaves_usage_bytes"></s:key>
<s:key name="stack_id">forwarder</s:key>
<s:key name="used_bytes">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/pools/myLicensePool -d quota=50MB
... elided ...
<entry>
<title>myLicensePool</title>
<id>https://localhost:8085/servicesNS/nobody/system/licenser/pools/myLicensePool</id>
<updated>2011-07-24T08:46:49-07:00</updated>
<link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="list"/>
<link href="/servicesNS/nobody/system/licenser/pools/myLicensePool/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="edit"/>
<link href="/servicesNS/nobody/system/licenser/pools/myLicensePool" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="description"></s:key>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>append_slaves</s:item>
<s:item>description</s:item>
<s:item>quota</s:item>
<s:item>slaves</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/></s:key>
<s:key name="wildcardFields">
<s:list/></s:key>
</s:dict>
</s:key>
<s:key name="quota">552428800</s:key>
<s:key name="slaves"><s:list><s:item>*</s:item></s:list></s:key>
<s:key name="slaves_usage_bytes">
<s:dict>
<s:key name="1F3A34AE-75DA-4680-B184-5BF309843919">39846322</s:key>
</s:dict>
</s:key>
<s:key name="stack_id">enterprise</s:key>
<s:key name="used_bytes">39846322</s:key>
</s:dict>
</content>
</entry>
curl -k -u admin:pass https://localhost:8089/services/licenser/slaves
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>slaves</title>
<id>https://localhost:8089/services/licenser/slaves</id>
<updated>2011-05-17T09:37:54-07:00</updated>
<generator version="99849"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>74A43C7E-C33C-41F6-B027-E603D2C3FE68</title>
<id>https://localhost:8089/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68</id>
<updated>2011-05-17T09:37:54-07:00</updated>
<link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="label">thething-vishalp</s:key>
<s:key name="pool_ids">
<s:list>
<s:item>auto_generated_pool_enterprise</s:item>
<s:item>auto_generated_pool_forwarder</s:item>
<s:item>auto_generated_pool_free</s:item>
</s:list>
</s:key>
<s:key name="stack_ids">
<s:list>
<s:item>enterprise</s:item>
<s:item>forwarder</s:item>
<s:item>free</s:item>
</s:list>
</s:key>
<s:key name="warning_count">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>slaves</title>
<id>https://127.0.0.1:8282/services/licenser/slaves</id>
<updated>2011-05-17T09:44:10-07:00</updated>
<generator version="99849"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>74A43C7E-C33C-41F6-B027-E603D2C3FE68</title>
<id>https://127.0.0.1:8282/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68</id>
<updated>2011-05-17T09:44:10-07:00</updated>
<link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/licenser/slaves/74A43C7E-C33C-41F6-B027-E603D2C3FE68" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app">system</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="label">thething-vishalp</s:key>
<s:key name="pool_ids">
<s:list>
<s:item>auto_generated_pool_enterprise</s:item>
<s:item>auto_generated_pool_forwarder</s:item>
<s:item>auto_generated_pool_free</s:item>
</s:list>
</s:key>
<s:key name="stack_ids">
<s:list>
<s:item>enterprise</s:item>
<s:item>forwarder</s:item>
<s:item>free</s:item>
</s:list>
</s:key>
<s:key name="warning_count">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/stacks
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>stacks</title>
<id>https://localhost:8089/services/licenser/stacks</id>
<updated>2011-07-08T10:37:33-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>4</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>download-trial</title>
<id>https://localhost:8089/services/licenser/stacks/download-trial</id>
<updated>2011-07-08T10:37:33-07:00</updated>
<link href="/services/licenser/stacks/download-trial" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/stacks/download-trial" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="label">Splunk Enterprise Download Trial</s:key>
<s:key name="quota">524288000</s:key>
<s:key name="type">download-trial</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>enterprise</title>
<id>https://localhost:8089/services/licenser/stacks/enterprise</id>
<updated>2011-07-08T10:37:33-07:00</updated>
<link href="/services/licenser/stacks/enterprise" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/stacks/enterprise" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="label">Splunk Internal License</s:key>
<s:key name="quota">10737418240</s:key>
<s:key name="type">enterprise</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>forwarder</title>
<id>https://localhost:8089/services/licenser/stacks/forwarder</id>
<updated>2011-07-08T10:37:33-07:00</updated>
<link href="/services/licenser/stacks/forwarder" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/stacks/forwarder" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="label">Splunk Forwarder</s:key>
<s:key name="quota">1048576</s:key>
<s:key name="type">forwarder</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>free</title>
<id>https://localhost:8089/services/licenser/stacks/free</id>
<updated>2011-07-08T10:37:33-07:00</updated>
<link href="/services/licenser/stacks/free" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/stacks/free" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="label">Splunk Free</s:key>
<s:key name="quota">524288000</s:key>
<s:key name="type">free</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/enterprise
span style="color: #008000; font-weight: bold"><feed</span> xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>stacks</title>
<id>https://localhost:8089/services/licenser/stacks</id>
<updated>2011-07-08T10:42:44-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>enterprise</title>
<id>https://localhost:8089/services/licenser/stacks/enterprise</id>
<updated>2011-07-08T10:42:44-07:00</updated>
<link href="/services/licenser/stacks/enterprise" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/stacks/enterprise" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="eai:attributes"> ... elided ...</s:key>
<s:key name="label">Splunk Internal License</s:key>
<s:key name="quota">10737418240</s:key>
<s:key name="type">enterprise</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/licenser/usage
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>licenseusage</title>
<id>https://localhost:8089/services/licenser/usage</id>
<updated>2015-06-03T11:46:10-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/licenser/usage/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>license_usage</title>
<id>https://localhost:8089/services/licenser/usage/license_usage</id>
<updated>2015-06-03T11:46:10-07:00</updated>
<link href="/services/licenser/usage/license_usage" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/licenser/usage/license_usage" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>*</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="quota">214748364800</s:key>
<s:key name="slaves_usage_bytes">0</s:key>
</s:dict>
</content>
</entry>
</feed>
Manage data from Splunk Enterprise forwarders.
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/default
Authentication: Not required
Provides access to global TCP out properties.
| Method | Description | Formats |
|---|---|---|
| GET | Returns the current tcpout properties. | XML, JSON |
| POST | Configures global tcpout properties. | XML, JSON |
data/outputs/tcp/default method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| autoLB | Specifies whether Auto Load balance method is used. |
| defaultGroup | Target group names. The forwarder sends all data to the specified groups.
Starting with 4.2, this attribute is no longer required. |
| disabled | Indicates if tcpout settings are disabled. |
| forwardedindex.0.whitelist | Specifies 0th whitelist filter.
forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to. |
| forwardedindex.1.blacklist | Specifies 1st blacklist filter. forwardedindex.<n>.blacklist specifies index for which events are not forwarded. |
| forwardedindex.2.whitelist | Specifies 2nd whitelist filter.
forwardedindex.<n>.whitelist decides which events get forwarded based on the indexes they belong to. |
| forwardedindex.filter.disable | Specifies whether filtering of forwarded data based on index is diasbled. |
| indexAndForward | Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.
This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group. |
| maxQueueSize | Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true).
See the parmeter description for the POST operation for more information. |
data/outputs/tcp/defaultx method detail| Name | Type | Default | Description |
|---|---|---|---|
| defaultGroup | String | Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.
The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier. Starting with 4.2, this attribute is no longer required. | |
| disabled | Boolean | Disables default tcpout settings | |
| dropEventsOnQueueFull | Number | If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).
CAUTION: Do not set this value to a positive integer if you are monitoring files. Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group. Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur. | |
| heartbeatFrequency | Number | How often (in seconds) to send a heartbeat packet to the receiving server.
Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds. | |
| indexAndForward | Boolean | Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.
This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group. | |
| maxQueueSize | Number | Specify an integer or integer[KB|MB|GB].
Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true). Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer. For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting. If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks. If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any). | |
| name required | String | Configuration to be edited. The only valid value is "tcpout". | |
| sendCookedData | Boolean | If true, events are cooked (processed by Splunk Enterprise). If false, events are raw and untouched prior to sending. Defaults to true.
Set to false if you are sending to a third-party system. |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/default/{name}
Authentication: Not required
Manage forwarder settings.
| Method | Description | Formats |
|---|---|---|
| DELETE | Disable the default forwarding settings. | XML, JSON |
| GET | Retrieve the named configuration. | XML, JSON |
| POST | Configure global forwarding properties. | XML, JSON |
data/outputs/tcp/default/{name} method detailNone
None
data/outputs/tcp/default/{name} method detailNone
None
The only valid name here is "tcpout".
data/outputs/tcp/default/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| defaultGroup | String | Comma-separated list of one or more target group names, specified later in [tcpout:<target_group>] stanzas of outputs.conf.spec file.
The forwarder sends all data to the specified groups. If you do not want to forward data automatically, do not set this attribute. Can be overridden by an inputs.conf _TCP_ROUTING setting, which in turn can be overridden by a props.conf/transforms.conf modifier. Starting with 4.2, this attribute is no longer required. | |
| disabled | Boolean | Disables default tcpout settings | |
| dropEventsOnQueueFull | Number | If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).
CAUTION: Do not set this value to a positive integer if you are monitoring files. Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group. Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur. | |
| heartbeatFrequency | Number | How often (in seconds) to send a heartbeat packet to the receiving server.
Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds. | |
| indexAndForward | Boolean | Specifies whether to index all data locally, in addition to forwarding it. Defaults to false.
This is known as an "index-and-forward" configuration. This attribute is only available for heavy forwarders. It is available only at the top level [tcpout] stanza in outputs.conf. It cannot be overridden in a target group. | |
| maxQueueSize | Number | Specify an integer or integer[KB|MB|GB].
Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true). Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer. For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting. If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks. If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any). | |
| sendCookedData | Boolean | If true, events are cooked (processed by Splunk Enterprise). If false, events are raw and untouched prior to sending. Defaults to true.
Set to false if you are sending to a third-party system. |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/group
Authentication: Not required
Provides access to the configuration of a group of one or more data forwarding destinations.
| Method | Description | Formats |
|---|---|---|
| GET | Returns configuration information about target groups. | XML, JSON |
| POST | Configures a group of one or more data forwarding destinations. | XML, JSON |
data/outputs/tcp/group method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| disabled | Indicates if tcpout is disabled for this group. |
| method | Specifies the type of output processor.
Valid values: (tcpout | syslog) |
| servers | Servers included in this group. |
data/outputs/tcp/group method detail| Name | Type | Default | Description |
|---|---|---|---|
| compressed | Boolean | false | If true, forwarder sends compressed data.
If set to true, the receiver port must also have compression turned on. |
| disabled | Boolean | false | If true, disables the group. |
| dropEventsOnQueueFull | Number | -1 | If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).
CAUTION: Do not set this value to a positive integer if you are monitoring files. Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group. Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur. |
| heartbeatFrequency | Number | 30 | How often (in seconds) to send a heartbeat packet to the group.
Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds. |
| maxQueueSize | Number | auto | Specify either an integer or integer[KB|MB|GB].
Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true). Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer. For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting. If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks. If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any). |
| method | Enum | Valid values: (tcpout | syslog)
Specifies the type of output processor. | |
| name required | String | The name of the group of receivers. | |
| sendCookedData | Boolean | true | If true, send cooked events (events processed by Splunk).
If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system. Defaults to true. |
| servers required | String | Comma-separated list of servers to include in the group. |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/group/{name}
Authentication: Not required
Manage the {name} target group.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes the target group specified by {name}. | XML, JSON |
| GET | Returns configuration information about the target group specified by {name}. | XML, JSON |
| POST | Updates the configuration of the target group. | XML, JSON |
data/outputs/tcp/group/{name} method detailNone
None
data/outputs/tcp/group/{name} method detailNone
| Name | Description |
|---|---|
| autoLB | Indicates if the forwarder performs automatic load balancing.
See the description for the autoLB parameter in POST data/outputs/tcp/group for details. |
| disabled | Indicates if tcpout is disabled for this group. |
| method | Specifies the type of output processor.
Valid values: (tcpout | syslog) |
| servers | Servers included in this group. |
data/outputs/tcp/group/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| compressed | Boolean | false | If true, forwarder sends compressed data.
If set to true, the receiver port must also have compression turned on. |
| disabled | Boolean | false | If true, disables the group. |
| dropEventsOnQueueFull | Number | -1 | If set to a positive number, wait the specified number of seconds before throwing out all new events until the output queue has space. Defaults to -1 (do not drop events).
CAUTION: Do not set this value to a positive integer if you are monitoring files. Setting this to -1 or 0 causes the output queue to block when it gets full, which causes further blocking up the processing chain. If any target group queue is blocked, no more data reaches any other target group. Using auto load-balancing is the best way to minimize this condition, because, in that case, multiple receivers must be down (or jammed up) before queue blocking can occur. |
| heartbeatFrequency | Number | 30 | How often (in seconds) to send a heartbeat packet to the group.
Heartbeats are only sent if sendCookedData=true. Defaults to 30 seconds. |
| maxQueueSize | Number | auto | Specify either an integer or integer[KB|MB|GB].
Sets the maximum size of the forwarder output queue. It also sets the maximum size of the wait queue to 3x this value, if you have enabled indexer acknowledgment (useACK=true). Although the wait queue and the output queues are both configured by this attribute, they are separate queues. The setting determines the maximum size of the queue in-memory (RAM) buffer. For heavy forwarders sending parsed data, maxQueueSize is the maximum number of events. Since events are typically much shorter than data blocks, the memory consumed by the queue on a parsing forwarder is likely to be much smaller than on a non-parsing forwarder, if you use this version of the setting. If specified as a lone integer (for example, maxQueueSize=100), maxQueueSize indicates the maximum number of queued events (for parsed data) or blocks of data (for unparsed data). A block of data is approximately 64KB. For non-parsing forwarders, such as universal forwarders, that send unparsed data, maxQueueSize is the maximum number of data blocks. If specified as an integer followed by KB, MB, or GB (for example, maxQueueSize=100MB), maxQueueSize indicates the maximum RAM allocated to the queue buffer. Defaults to 500KB (which means a maximum size of 500KB for the output queue and 1500KB for the wait queue, if any). |
| method | Enum | Valid values: (tcpout | syslog)
Specifies the type of output processor. | |
| sendCookedData | Boolean | true | If true, send cooked events (events processed by Splunk).
If false, events are raw and untouched prior to sending. Set to false if you are sending to a third-party system. Defaults to true. |
| servers required | String | Comma-separated list of servers to include in the group. |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/server
Authentication: Not required
Provides access to data forwarding configurations.
| Method | Description | Formats |
|---|---|---|
| GET | Lists existing forwarded servers. | XML, JSON |
| POST | Creates a new forwarder output. | XML, JSON |
data/outputs/tcp/server method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| destHost | DNS name of the destination server. |
| destIp | IP address of the destination server. |
| destPort | Port on which the destination server is listening. |
| disabled | Indicates if the outputs to the destination server is disabled. |
| method | The data distribution method used when two or more servers exist in the same forwarder group.
Valid values: (clone | balance | autobalance) |
| sourcePort | Port on destination server where data is forwarded. |
| status | Indicates the status of the connection to the server. |
data/outputs/tcp/server method detail| Name | Type | Default | Description |
|---|---|---|---|
| disabled | Boolean | If true, disables the forwarder. | |
| method | Enum | Valid values: (clone | balance | autobalance)
The data distribution method used when two or more servers exist in the same forwarder group. | |
| name required | String | <host>:<port> of the Splunk Enterprise receiver. <host> can be either an ip address or server name. <port> is the that port that the Splunk receiver is listening on. | |
| sslAltNameToCheck | String | The alternate name to match in the remote server's SSL certificate. | |
| sslCertPath | String | Path to the client certificate. If specified, connection uses SSL. | |
| sslCipher | String | SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM | |
| sslCommonNameToCheck | String | Check the common name of the server's certificate against this name.
If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true. | |
| sslPassword | String | The password associated with the CAcert.
The default Splunk Enterprise CAcert uses the password "password." | |
| sslRootCAPath | String | The path to the root certificate authority file (optional). | |
| sslVerifyServerCert | Boolean | If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match. |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/server/{name}
Authentication: Not required
Manage the {name} forwarder.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes the configuration for the forwarded server specified by {name}. | XML, JSON |
| GET | Lists information aobut the forwarded server specified by {name}. | XML, JSON |
| POST | Configures the forwarded server specified by {name}. | XML, JSON |
data/outputs/tcp/server/{name} method detailNone
None
data/outputs/tcp/server/{name} method detailNone
| Name | Description |
|---|---|
| disabled | Indicates if the outputs to the destination server is disabled. |
| method | The data distribution method used when two or more servers exist in the same forwarder group.
Valid values: (clone | balance | autobalance) |
data/outputs/tcp/server/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| disabled | Boolean | If true, disables the forwarder. | |
| method | Enum | Valid values: (clone | balance | autobalance)
The data distribution method used when two or more servers exist in the same forwarder group. | |
| sslAltNameToCheck | String | The alternate name to match in the remote server's SSL certificate. | |
| sslCertPath | String | Path to the client certificate. If specified, connection uses SSL. | |
| sslCipher | String | SSL Cipher in the form ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM | |
| sslCommonNameToCheck | String | Check the common name of the server's certificate against this name.
If there is no match, assume that Splunk Enterprise is not authenticated against this server. You must specify this setting if sslVerifyServerCert is true. | |
| sslPassword | String | The password associated with the CAcert.
The default Splunk Enterprise CAcert uses the password "password." | |
| sslRootCAPath | String | The path to the root certificate authority file (optional). | |
| sslVerifyServerCert | Boolean | If true, make sure that the server you are connecting to is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match. |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/server/{name}/allconnections
Authentication: Not required
Get {name} forwarder connections.
| Method | Description | Formats |
|---|---|---|
| GET | List current connections to forwarded server specified by {name} | XML, JSON |
data/outputs/tcp/server/{name}/allconnections method detailNone
| Name | Description |
|---|---|
| destHost | DNS name of the destination server. |
| destIp | IP address of the destination server. |
| destPort | Port on which the destination server is listening. |
| sourcePort | Port on destination server where data is forwarded. |
| status | Indicates the status of the connection to the server. |
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/syslog
Authentication: Not required
Provides access to the configuration of a forwarded server configured to provide data in standard syslog format.
| Method | Description | Formats |
|---|---|---|
| GET | Provides access to syslog data forwarding configurations. | XML, JSON |
| POST | Configures a forwarder to send data in standard syslog format. | XML, JSON |
data/outputs/tcp/syslog method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| disabled | Specifies whether global syslog configuration is disabled. |
| server | Specifies server:port where data is forwarded. |
| type | Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp). |
data/outputs/tcp/syslog method detail| Name | Type | Default | Description |
|---|---|---|---|
| disabled | Boolean | If true, disables global syslog settings. | |
| name required | String | Name of the syslog output group. This is name used when creating syslog configuration in outputs.conf.
| |
| priority | Number | Sets syslog priority value.
The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details. | |
| server | String | host:port of the server where syslog data should be sent | |
| syslogSourceType | String | Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.
This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment. To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example
Data that is "syslog" or matches this setting is assumed to already be in syslog format. Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk Enterprise causes arbitrary log data to match syslog expectations. | |
| timestampformat | String | Format of timestamp to add at start of the events to be forwarded.
The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details. | |
| type | String | Protocol to use to send syslog data. Valid values: (tcp | udp ). |
None
[ Top ]
https://<host>:<mPort>/services/data/outputs/tcp/syslog/{name}
Authentication: Not required
Manage configuration for the {name} forwarder.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes the configuration for the forwarder specified by {name} that sends data in syslog format. | XML, JSON |
| GET | Returns configuration information for the forwarder specified by {name} that sends data in standard syslog format | XML, JSON |
| POST | Updates the configuration of the forwarder specified by {name} that sends data in syslog format. | XML, JSON |
data/outputs/tcp/syslog/{name} method detailNone
None
data/outputs/tcp/syslog/{name} method detailNone
| Name | Description |
|---|---|
| disabled | Specifies whether global syslog configuration is disabled. |
| server | Specifies server:port where data is forwarded. |
| type | Specifies whether tcp or udp is used to forward data. If unspecified, udp is used. Valid values : (tcp | udp). |
data/outputs/tcp/syslog/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| disabled | Boolean | If true, disables global syslog settings. | |
| priority | Number | Sets syslog priority value.
The priority value should specified as an integer. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details. | |
| server | String | host:port of the server where syslog data should be sent | |
| syslogSourceType | String | Specifies a rule for handling data in addition to that provided by the "syslog" sourcetype. By default, there is no value for syslogSourceType.
This string is used as a substring match against the sourcetype key. For example, if the string is set to 'syslog', then all source types containing the string "syslog" receives this special treatment. To match a source type explicitly, use the pattern "sourcetype::sourcetype_name." For example
Data that is "syslog" or matches this setting is assumed to already be in syslog format. Data that does not match the rules has a header, potentially a timestamp, and a hostname added to the front of the event. This is how Splunk Enterprise causes arbitrary log data to match syslog expectations. | |
| timestampformat | String | Format of timestamp to add at start of the events to be forwarded.
The format is a strftime-style timestamp formatting string. See $SPLUNK_HOME/etc/system/README/outputs.conf.spec for details. | |
| type | String | Protocol to use to send syslog data. Valid values: (tcp | udp ). |
None
[ Top ]
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-default</title>
<id>https://localhost:8089/services/data/outputs/tcp/default</id>
<updated>2011-07-10T22:38:23-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/default/_new" rel="create"/>
<link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>tcpout</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
<updated>2011-07-10T22:38:23-07:00</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="autoLB">1</s:key>
<s:key name="defaultGroup">spacecake_9998</s:key>
<s:key name="disabled">0</s:key>
... eai:acl nodes elided ...
<s:key name="forwardedindex.0.whitelist">.*</s:key>
<s:key name="forwardedindex.1.blacklist">_.*</s:key>
<s:key name="forwardedindex.2.whitelist">_audit</s:key>
<s:key name="forwardedindex.filter.disable">0</s:key>
<s:key name="indexAndForward">0</s:key>
<s:key name="maxQueueSize">500KB</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout -d 'defaultGroup=myIndexers'
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-default</title>
<id>https://localhost:8089/services/data/outputs/tcp/default</id>
<updated>2011-07-10T22:43:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/default/_new" rel="create"/>
<link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/default/tcpout
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tcpout-default</title>
<id>https://localhost:8085/services/data/outputs/tcp/default</id>
<updated>2011-07-19T20:09:02-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/default/_new" rel="create"/>
<link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-default</title>
<id>https://localhost:8089/services/data/outputs/tcp/default</id>
<updated>2011-07-10T22:38:23-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/default/_new" rel="create"/>
<link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>tcpout</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/default/tcpout</id>
<updated>2011-07-10T22:38:23-07:00</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout" rel="remove"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/default/tcpout/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="autoLB">1</s:key>
<s:key name="defaultGroup">spacecake_9998</s:key>
<s:key name="disabled">0</s:key>
... eai:acl nodes elided ...
<s:key name="forwardedindex.0.whitelist">.*</s:key>
<s:key name="forwardedindex.1.blacklist">_.*</s:key>
<s:key name="forwardedindex.2.whitelist">_audit</s:key>
<s:key name="forwardedindex.filter.disable">0</s:key>
<s:key name="indexAndForward">0</s:key>
<s:key name="maxQueueSize">500KB</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/default/tcpout -d heartbeatFrequency=60
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-default</title>
<id>https://localhost:8089/services/data/outputs/tcp/default</id>
<updated>2011-07-10T22:43:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/default/_new" rel="create"/>
<link href="/services/data/outputs/tcp/default/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-group</title>
<id>https://localhost:8089/services/data/outputs/tcp/group</id>
<updated>2011-07-10T22:21:07-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/group/_new" rel="create"/>
<link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>spacecake_9998</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998</id>
<updated>2011-07-10T22:21:07-07:00</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/spacecake_9998" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl nodes elided ...
<s:key name="method">autobalance</s:key>
<s:key name="servers">
<s:list>
<s:item>spacecake:9998</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group -d name=lan_receivers -d method=autobalance -d servers=10.3.3.3:9997,10.4.4.4:9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-group</title>
<id>https://localhost:8089/services/data/outputs/tcp/group</id>
<updated>2011-07-10T22:21:23-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/group/_new" rel="create"/>
<link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/group/lan_receivers
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-group</title>
<id>https://localhost:8089/services/data/outputs/tcp/group</id>
<updated>2011-07-10T22:32:47-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/group/_new" rel="create"/>
<link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group/lan_receivers
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-group</title>
<id>https://localhost:8089/services/data/outputs/tcp/group</id>
<updated>2011-07-10T22:23:10-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/group/_new" rel="create"/>
<link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>lan_receivers</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers</id>
<updated>2011-07-10T22:23:10-07:00</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/group/lan_receivers" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="autoLB">1</s:key>
<s:key name="disabled">0</s:key>
... eai:acl nodes elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>autoLB</s:item>
<s:item>blockOnQueueFull</s:item>
<s:item>compressed</s:item>
<s:item>disabled</s:item>
<s:item>dropEventsOnQueueFull</s:item>
<s:item>heartbeatFrequency</s:item>
<s:item>maxPersistentQueueSizeInMegs</s:item>
<s:item>maxQueueSize</s:item>
<s:item>method</s:item>
<s:item>persistentQueuePath</s:item>
<s:item>sendCookedData</s:item>
<s:item>usePersistentQueue</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>servers</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="method">autobalance</s:key>
<s:key name="servers">
<s:list>
<s:item>10.3.3.3:9997</s:item>
<s:item>10.4.4.4:9997</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/group/lan_receivers -d maxQueueSize=1024KB -d servers=10.3.3.3:9997,10.4.4.4:9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-group</title>
<id>https://localhost:8089/services/data/outputs/tcp/group</id>
<updated>2011-07-10T22:26:02-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/group/_new" rel="create"/>
<link href="/services/data/outputs/tcp/group/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2011-07-10T21:34:59-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/server/_new" rel="create"/>
<link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>spacecake:9998</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998</id>
<updated>2011-07-10T21:34:59-07:00</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998" rel="remove"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/allconnections" rel="allconnections"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/spacecake%3A9998/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="destHost">spacecake.splunk.com</s:key>
<s:key name="destIp">10.1.1.73</s:key>
<s:key name="destPort">9998</s:key>
<s:key name="disabled">0</s:key>
... eai:acl nodes elided ...
<s:key name="method">autobalance</s:key>
<s:key name="sourcePort">8085</s:key>
<s:key name="status">connect_fail</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server -d name=tiny:9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2011-07-10T21:35:13-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/server/_new" rel="create"/>
<link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/server/tiny:9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2011-07-10T21:35:41-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/server/_new" rel="create"/>
<link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/tiny:9997
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2011-07-10T21:35:24-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/server/_new" rel="create"/>
<link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>tiny:9997</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997</id>
<updated>2011-07-10T21:35:24-07:00</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997" rel="remove"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/allconnections" rel="allconnections"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/server/tiny%3A9997/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
... eai:acl nodes elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>backoffAtStartup</s:item>
<s:item>disabled</s:item>
<s:item>initialBackoff</s:item>
<s:item>maxBackoff</s:item>
<s:item>maxNumberOfRetriesAtHighestBackoff</s:item>
<s:item>method</s:item>
<s:item>sslAltNameToCheck</s:item>
<s:item>sslCertPath</s:item>
<s:item>sslCipher</s:item>
<s:item>sslCommonNameToCheck</s:item>
<s:item>sslPassword</s:item>
<s:item>sslRootCAPath</s:item>
<s:item>sslVerifyServerCert</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="method">autobalance</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/tiny:9997 -d initialBackoff=10
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2011-07-10T21:35:33-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/server/_new" rel="create"/>
<link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997/allconnections
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>tcpout-server</title>
<id>https://localhost:8089/services/data/outputs/tcp/server</id>
<updated>2011-07-15T15:15:12-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/server/_new" rel="create"/>
<link href="/services/data/outputs/tcp/server/_reload" rel="_reload"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>localhost:9997</title>
<id>https://localhost:8089/services/data/outputs/tcp/server/localhost%3A9997</id>
<updated>2011-07-15T15:15:12-0700</updated>
<link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="list"/>
<link href="/services/data/outputs/tcp/server/localhost%3A9997/_reload" rel="_reload"/>
<link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="edit"/>
<link href="/services/data/outputs/tcp/server/localhost%3A9997" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="destHost">localhost</s:key>
<s:key name="destIp">127.0.0.1</s:key>
<s:key name="destPort">9997</s:key>
... eai:acl nodes elided ...
<s:key name="sourcePort">8089</s:key>
<s:key name="status">connect_done</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>syslog</title>
<id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
<updated>2011-07-21T22:16:11-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>myServers</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers</id>
<updated>2011-07-21T22:16:11-0700</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl nodes elided ...
<s:key name="server">syslogservers.splunk.com:514</s:key>
<s:key name="type">tcp</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog -d myServers -d server=my.server.com:514
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>syslog</title>
<id>https://localhost:22090/services/data/outputs/tcp/syslog</id>
<updated>2011-07-21T23:00:26-07:00</updated>
<generator version="104359"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/data/outputs/tcp/syslog/myServers
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>syslog</title>
<id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
<updated>2011-07-21T22:20:52-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog/myServers
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>syslog</title>
<id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
<updated>2011-07-21T22:30:33-0700</updated>
<generator version="101277"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
... opensearch nodes elided ...
<s:messages/>
<entry>
<title>myServers</title>
<id>https://localhost:8089/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers</id>
<updated>2011-07-21T22:30:33-0700</updated>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="list"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="edit"/>
<link href="/servicesNS/nobody/system/data/outputs/tcp/syslog/myServers" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">1</s:key>
... eai:acl nodes elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="server">syslogservers.splunk.com:514</s:key>
<s:key name="type">tcp</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/data/outputs/tcp/syslog/myServers -d type=udp
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>syslog</title>
<id>https://localhost:8089/services/data/outputs/tcp/syslog</id>
<updated>2011-07-21T22:53:23-07:00</updated>
<generator version="104359"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/data/outputs/tcp/syslog/_new" rel="create"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
Manage search-related resources:
https://<host>:<mPort>/services/alerts/fired_alerts
Authentication: Not required
Get all fired alerts.
| Method | Description | Formats |
|---|---|---|
| GET | Get a summary view of all fired alerts. | XML, JSON |
alerts/fired_alerts method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| triggered_alert_count | the number of time this alert is triggered. |
[ Top ]
https://<host>:<mPort>/services/alerts/fired_alerts/{name}
Authentication: Not required
Delete or view {name} alert.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the record of this triggered alert. | XML, JSON |
| GET | Get a list of all unexpired triggered or fired instances of this alert. | XML, JSON |
alerts/fired_alerts/{name} method detailNone
None
alerts/fired_alerts/{name} method detailNone
| Name | Description |
|---|---|
| actions | Any additional alert actions triggered by this alert. |
| alert_type | Indicates if the alert was historical or real-time. |
| digest_mode | |
| expiration_time_rendered | |
| savedsearch_name | Name of the saved search that triggered the alert. |
| severity | Indicates the severity level of an alert.
Severity level ranges from Info, Low, Medium, High, and Critical. Default is Medium. Severity levels are informational in purpose and have no additional functionality. |
| sid | The search ID of the search that triggered the alert. |
| trigger_time | The time the alert was triggered. |
| trigger_time_rendered | |
| triggered_alerts |
Specify - for {name} to return all fired alerts.
[ Top ]
https://<host>:<mPort>/services/data/commands
Authentication: Not required
Access Python search commands.
| Method | Description | Formats |
|---|---|---|
| GET | List all python search commands. | XML, JSON |
data/commands method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| changes_colorder | Indicates whether the script output should be used to change the column ordering of the fields. |
| disabled | Indicates if the command is disabled. |
| enableheader | Indicate whether or not your script is expecting header information or not.
Note: Should be set to true if you use splunk.Intersplunk |
| filename | Name of script file for command.
<stanza-name>.pl for perl. <stanza-name>.py for python. |
| generates_timeorder | If generating = false and streaming = true, indicates if the command changes the order of events w/respect to time. |
| generating | Indicates if the command generates new events. |
| maxinputs | Maximum number of events that can be passed to the command for each invocation. This limit cannot exceed the value of maxresultrows in limits.conf.
0 indicates no limit. Defaults to 50000. |
| outputheader | If true, the output of script should be a header section + blank line + csv ouput.
If false, script output should be pure csv only. |
| passauth | If true, passes an authentication token on the start of input. |
| required_fields | A list of fields that this command may use. Informs previous commands that they should retain/extract these fields if possible. No error is generated if a field specified is missing.
Defaults to '*'. |
| requires_preop | Indicates whether the command sequence specified by the streaming_preop key is required for proper execution or is it an optimization only.
Default is false (stremaing_preop not required). |
| retainsevents | Indicates whether the command retains events (the way the sort/dedup/cluster commands do) or whether the command transforms them (the way the stats command does). |
| streaming | Indicates whether the command is streamable. |
| supports_getinfo | Indicates whether the command supports dynamic probing for settings (first argument invoked == __GETINFO__ or __EXECUTE__). |
| supports_rawargs | Indicates whether the command supports raw arguments being passed to it or if it uses parsed arguments (where quotes are stripped). |
| type | Specifies the type of command. The only valid value for this attribute is python.
|
[ Top ]
https://<host>:<mPort>/services/data/commands/{name}
Authentication: Not required
Get information about the {name} python search command.
| Method | Description | Formats |
|---|---|---|
| GET | Get information about the {name} python search command. | XML, JSON |
data/commands/{name} method detailNone
| Name | Description |
|---|---|
| changes_colorder | Indicates whether the script output should be used to change the column ordering of the fields. |
| disabled | Indicates if the command is disabled. |
| enableheader | Indicate whether or not your script is expecting header information or not.
Note: Should be set to true if you use splunk.Intersplunk |
| filename | Name of script file for command.
<stanza-name>.pl for perl. <stanza-name>.py for python. |
| generates_timeorder | If generating = false and streaming = true, indicates if the command changes the order of events w/respect to time. |
| generating | Indicates if the command generates new events. |
| maxinputs | Maximum number of events that can be passed to the command for each invocation. This limit cannot exceed the value of maxresultrows in limits.conf.
0 indicates no limit. Defaults to 50000. |
| outputheader | If true, the output of script should be a header section + blank line + csv ouput.
If false, script output should be pure csv only. |
| passauth | If true, passes an authentication token on the start of input. |
| required_fields | A list of fields that this command may use. Informs previous commands that they should retain/extract these fields if possible. No error is generated if a field specified is missing.
Defaults to '*'. |
| requires_preop | Indicates whether the command sequence specified by the streaming_preop key is required for proper execution or is it an optimization only.
Default is false (stremaing_preop not required). |
| retainsevents | Indicates whether the command retains events (the way the sort/dedup/cluster commands do) or whether the command transforms them (the way the stats command does). |
| streaming | Indicates whether the command is streamable. |
| supports_getinfo | Indicates whether the command supports dynamic probing for settings (first argument invoked == __GETINFO__ or __EXECUTE__). |
| supports_rawargs | Indicates whether the command supports raw arguments being passed to it or if it uses parsed arguments (where quotes are stripped). |
| type | Specifies the type of command.
The only valid value for this attribute is |
[ Top ]
https://<host>:<mPort>/services/saved/searches
Authentication: Not required
Get saved search configurations.
| Method | Description | Formats |
|---|---|---|
| GET | Get information on all saved searches. | XML, JSON |
| POST | Creates a saved search. | XML, JSON |
saved/searches method detail| Name | Type | Default | Description |
|---|---|---|---|
| earliest_time | String | For scheduled searches display all the scheduled times starting from this time (not just the next run time) | |
| latest_time | String | For scheduled searches display all the scheduled times until this time (not just the next run time) | |
| listDefaultActionArgs | Boolean | Indicates whether to list default actions. |
Pagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| action.email | Indicates the state of the email action. |
| action.email.sendresults | Indicates whether search results are attached to the email. |
| action.email.to | List of addresses for email recipients. |
| action.populate_lookup | Indicates the state of the populate lookup action. |
| action.rss | Indicates the state of the RSS action. |
| action.script | Indicates the state of the script action. |
| action.summary_index | Indicates the state of the summary index action. |
| alert.digest_mode | Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result. |
| alert.expires | Sets the period of time to show the alert in the dashboard. Defaults to 24h.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.severity | The alert severity level.
Valid values are:
|
| alert.suppress | Indicates whether alert suppression is enabled for this schedules search. |
| alert.suppress.period | Specifies the suppresion period. Only valid if alert.supress is enabled.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.track | Specifies whether to track the actions triggered by this scheduled search.
auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc |
| alert_condition | A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. Note: If you specify an alert_condition, do not set counttype, relation, or quantity. |
| alert_threshold | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." |
| alert_type | What to base the alert on, overriden by alert_condition if it is specified.
Valid values are: always, custom, number of events, number of hosts, number of sources |
| cron_schedule | The cron schedule to execute this search.
For more information, refer to the description of this parameter in the POST endpoint. |
| description | Description of the saved search. |
| disabled | Indicates if this saved search is disabled. |
| dispatch.buckets | The maximum nuber of timeline buckets. |
| dispatch.earliest_time | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.latest_time | A time string that specifies the latest time for the saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.lookups | Indicates if lookups are enabled for this search. |
| dispatch.max_count | The maximum number of results before finalizing the search. |
| dispatch.max_time | Indicates the maximum amount of time (in seconds) before finalizing the search. |
| dispatch.reduce_freq | Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values. |
| dispatch.spawn_process | Specifies whether Splunk Enterprise spawns a new search process when this saved search is executed.
Searches against indexes must run in a separate process. |
| dispatch.time_format | Time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| dispatch.ttl | Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| displayview | Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions. |
| earliest_time | For scheduled searches display all the scheduled times starting from this time (not just the next run time). |
| is_scheduled | Indicates if this search is to be run on a schedule |
| is_visible | Indicates if this saved search appears in the visible saved search list. |
| latest_time | For scheduled searches display all the scheduled times until this time (not just the next run time). |
| listDefaultActionArgs | List default values of actions.*, even though some of the actions may not be specified in the saved search. |
| max_concurrent | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| next_scheduled_time | Time when the scheduler runs this search again. |
| qualifiedSearch | The exact search string that the scheduler would run. |
| realtime_schedule | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0). |
| request.ui_dispatch_app | A field used by Splunk Web to denote the app this search should be dispatched in. |
| request.ui_dispatch_view | Specifies a field used by Splunk Web to denote the view this search should be displayed in. |
| restart_on_searchpeer_add | Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
Note: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk Enterprise recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| search | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. |
| vsid | The viewstate id associated with the UI view listed in 'displayview'.
Matches to a stanza in viewstates.conf. |
saved/searches method detail| Name | Type | Default | Description |
|---|---|---|---|
| action.* | String | Wildcard argument for any action.
Use this parameter to specify specific action arguments. For example, to specify the email recipients for action.email.to. | |
| action.email | Boolean | 0 | The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.email.auth_password | String | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. | |
| action.email.auth_username | String | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
NOTE: Your SMTP server might reject unauthenticated emails. | |
| action.email.bcc | String | BCC email address to use if action.email is enabled. | |
| action.email.cc | String | CC email address to use if action.email is enabled. | |
| action.email.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.email.format | Enum | Valid values: (plain | html | raw | csv)
Specify the format of text in the email. This value also applies to any attachments. | |
| action.email.from | String | Email address from which the email action originates.
Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf. | |
| action.email.hostname | String | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. | |
| action.email.inline | Boolean | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. | |
| action.email.mailserver | String | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). | |
| action.email.maxresults | Number | Sets the global maximum number of search results to send when email.action is enabled.
Defaults to 100. | |
| action.email.maxtime | Number | Valid values are Integer[m|s|h|d].
Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m. | |
| action.email.pdfview | String | The name of the view to deliver if sendpdf is enabled | |
| action.email.preprocess_results | String | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. | |
| action.email.reportCIDFontList | Enum | Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.
If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used. To skip loading any CID fonts, specify the empty string. Defaults to "gb cns jp kor" | |
| action.email.reportIncludeSplunkLogo | Boolean | Indicates whether to include the Splunk logo with the report. | |
| action.email.reportPaperOrientation | Enum | Valid values: (portrait | landscape)
Specifies the paper orientation: portrait or landscape. Defaults to portrait. | |
| action.email.reportPaperSize | Enum | Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)
Specifies the paper size for PDFs. Defaults to letter. | |
| action.email.reportServerEnabled | Boolean | Not supported. | |
| action.email.reportServerURL | String | Not supported.
For a default locally installed report server, the URL is http://localhost:8091/ | |
| action.email.sendpdf | Boolean | Indicates whether to create and send the results as a PDF. Defaults to false. | |
| action.email.sendresults | Boolean | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. | |
| action.email.subject | String | Specifies an alternate email subject.
Defaults to SplunkAlert-<savedsearchname>. | |
| action.email.to | String | A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. | |
| action.email.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.email.ttl | Number | Valid values are Integer[p].
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.email.use_ssl | Boolean | Indicates whether to use SSL when communicating with the SMTP server.
Defaults to false. | |
| action.email.use_tls | Boolean | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
Defaults to false. | |
| action.email.width_sort_columns | Boolean | Indicates whether columns should be sorted from least wide to most wide, left to right.
Only valid if format=text. | |
| action.populate_lookup | Boolean | 0 | The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.populate_lookup.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.populate_lookup.dest | String | Lookup name of path of the lookup to populate | |
| action.populate_lookup.hostname | String | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.populate_lookup.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.populate_lookup.maxtime | Number | Valid values are: Integer[m|s|h|d]
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. | |
| action.populate_lookup.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.populate_lookup.ttl | Number | Valid values are Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p. If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.rss | Boolean | 0 | The state of the rss action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.rss.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.rss.hostname | String | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.rss.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.rss.maxtime | Number | Valid values are Integer[m|s|h|d].
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m. | |
| action.rss.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.rss.ttl | Number | Valid values are: Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.script | Boolean | 0 | The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.script.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.script.filename | String | File name of the script to call. Required if script action is enabled | |
| action.script.hostname | String | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.script.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.script.maxtime | Number | Valid values are: Integer[m|s|h|d]
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. | |
| action.script.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.script.ttl | Number | Valid values are: Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.summary_index | Boolean | 0 | The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
Defaults to 0 |
| action.summary_index._name | String | Specifies the name of the summary index where the results of the scheduled search are saved.
Defaults to "summary." | |
| action.summary_index.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.summary_index.hostname | String | Sets the hostname used in the web link (url) sent in summary-index alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.summary_index.inline | Boolean | Determines whether to execute the summary indexing action as part of the scheduled search.
NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if Defaults to true | |
| action.summary_index.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.summary_index.maxtime | Number | Valid values are: Integer[m|s|h|d]
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. | |
| action.summary_index.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.summary_index.ttl | Number | Valid values are: Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p. If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| actions | String | A comma-separated list of actions to enable.
For example: rss,email | |
| alert.digest_mode | Boolean | 1 | Specifies whether Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
Defaults to true. |
| alert.expires | Number | 24h | Valid values: [number][time-unit]
Sets the period of time to show the alert in the dashboard. Defaults to 24h. Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.severity | Enum | 3 | Valid values: (1 | 2 | 3 | 4 | 5 | 6)
Sets the alert severity level. Valid values are: 1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL |
| alert.suppress | Boolean | Indicates whether alert suppression is enabled for this scheduled search. | |
| alert.suppress.fields | String | Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled. | |
| alert.suppress.period | Number | Valid values: [number][time-unit]
Specifies the suppresion period. Only valid if Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. | |
| alert.track | Enum | auto | Valid values: (true | false | auto)
Specifies whether to track the actions triggered by this scheduled search. auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | String | One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc
Used with alert_threshold to trigger alert actions. | |
| alert_condition | String | Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. NOTE: If you specify an alert_condition, do not set counttype, relation, or quantity. | |
| alert_threshold | Number | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." | |
| alert_type | String | What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources | |
| args.* | String | Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$. | |
| auto_summarize | Boolean | 0 | Indicates whether the scheduler should ensure that the data for this search is automatically summarized. |
| auto_summarize.command | String | summarize override=partial timespan=$auto_summarize.timespan$ max_summary_size=$auto_summarize.max_summary_size$ max_summary_ratio=$auto_summarize.max_summary_ratio$ max_disabled_buckets=$auto_summarize.max_disabled_buckets$ max_time=$auto_summarize.max_time$ [ $search$ ] | A search template that constructs the auto summarization for this search.
Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches. |
| auto_summarize.cron_schedule | String | */10 * * * * | Cron schedule that probes and generates the summaries for this saved search.
The default value corresponds to every ten hours. |
| auto_summarize.dispatch.earliest_time | String | A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| auto_summarize.dispatch.latest_time | String | A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| auto_summarize.dispatch.time_format | String | %FT%T.%Q%:z | Defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| auto_summarize.dispatch.ttl | String | 60 | Valid values: Integer[p]
Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. |
| auto_summarize.max_disabled_buckets | Number | 2 | The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. |
| auto_summarize.max_summary_ratio | Number | 0.1 | The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.
Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size. |
| auto_summarize.max_summary_size | Number | 52428800 | The minimum summary size, in bytes, before testing whether the summarization is helpful.
The default value is equivalent to 5MB. |
| auto_summarize.max_time | Number | 3600 | Maximum time (in seconds) that the summary search is allowed to run.
Note: This is an approximate time. The summary search stops at clean bucket boundaries. |
| auto_summarize.suspend_period | String | 24h | Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful. |
| auto_summarize.timespan | String | The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.
For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d. | |
| cron_schedule | String | Valid values: cron string
The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes. cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. | |
| description | String | Human-readable description of this saved search. Defaults to empty string. | |
| disabled | Boolean | 0 | Indicates if the saved search is enabled.
Disabled saved searches are not visible in Splunk Web. |
| dispatch.* | String | Wildcard argument that accepts any dispatch related argument. | |
| dispatch.buckets | Number | 0 | The maximum number of timeline buckets. |
| dispatch.earliest_time | String | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| dispatch.indexedRealtime | Boolean | Indicates whether to used indexed-realtime mode when doing real-time searches. | |
| dispatch.latest_time | String | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| dispatch.lookups | Boolean | 1 | Enables or disables the lookups for this search. |
| dispatch.max_count | Number | 500000 | The maximum number of results before finalizing the search. |
| dispatch.max_time | Number | 0 | Indicates the maximum amount of time (in seconds) before finalizing the search. |
| dispatch.reduce_freq | Number | 10 | Specifies, in seconds, how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values. |
| dispatch.rt_backfill | Boolean | 0 | Whether to back fill the real time window for this search. Parameter valid only if this is a real time search |
| dispatch.spawn_process | Boolean | 1 | Specifies whether Splunk Enterprise spawns a new search process when this saved search is executed.
Searches against indexes must run in a separate process. |
| dispatch.time_format | String | %FT%T.%Q%:z | A time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| dispatch.ttl | Number | 2p | Valid values: Integer[p]
Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered. If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| displayview | String | Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions. | |
| is_scheduled | Boolean | Whether this search is to be run on a schedule | |
| is_visible | Boolean | 1 | Specifies whether this saved search should be listed in the visible saved search list. |
| max_concurrent | Number | 1 | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| name required | String | A name for the search. | |
| next_scheduled_time | String | Read-only attribute. Value ignored on POST. There are some old clients who still send this value | |
| qualifiedSearch | String | Read-only attribute. Value ignored on POST. Splunk Enterprise computes this value during runtime. | |
| realtime_schedule | Boolean | 1 | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0). |
| request.ui_dispatch_app | String | Specifies a field used by Splunk Web to denote the app this search should be dispatched in. | |
| request.ui_dispatch_view | String | Specifies a field used by Splunk Web to denote the view this search should be displayed in. | |
| restart_on_searchpeer_add | Boolean | 1 | Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
NOTE: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Boolean | 0 | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| search required | String | The search to save. | |
| vsid | String | Defines the viewstate id associated with the UI view listed in 'displayview'.
Must match up to a stanza in viewstates.conf. |
| Name | Description |
|---|---|
| action.* | * represents any custom action. |
| action.email | Indicates the state of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.bcc | BCC email address to use if action.email is enabled. |
| action.email.cc | CC email address to use if action.email is enabled. |
| action.email.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.email.format | Specify the format of text in the email. This value also applies to any attachments.<
Valid values: (plain | html | raw | csv) |
| action.email.from | Email address from which the email action originates.
Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf. |
| action.email.hostname | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. |
| action.email.inline | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. |
| action.email.mailserver | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). |
| action.email.maxresults | Sets the global maximum number of search results to send when email.action is enabled. |
| action.email.maxtime | Specifies the maximum amount of time the execution of an email action takes before the action is aborted. |
| action.email.pdfview | The name of the view to deliver if sendpdf is enabled |
| action.email.preprocess_results | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. |
| action.email.reportCIDFontList | Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.
If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used. To skip loading any CID fonts, specify the empty string. Default value: "gb cns jp kor" |
| action.email.reportIncludeSplunkLogo | Indicates whether to include the Splunk logo with the report. |
| action.email.reportPaperOrientation | Specifies the paper orientation: portrait or landscape. |
| action.email.reportPaperSize | Specifies the paper size for PDFs. Defaults to letter.
Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5) |
| action.email.reportServerEnabled | Not supported. |
| action.email.reportServerURL | Not supported. |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. |
| action.email.subject | Specifies an email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.email.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| action.email.use_ssl | Indicates whether to use SSL when communicating with the SMTP server. |
| action.email.use_tls | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). |
| action.email.width_sort_columns | Indicates whether columns should be sorted from least wide to most wide, left to right.
Only valid if format=text. |
| action.populate_lookup | Indicates the state of the populate lookup action. |
| action.populate_lookup.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.populate_lookup.dest | Lookup name of path of the lookup to populate. |
| action.populate_lookup.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.populate_lookup.maxresults | The maximum number of search results sent using alerts. |
| action.populate_lookup.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
Valid values are: Integer[m|s|h|d] |
| action.populate_lookup.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.populate_lookup.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p] |
| action.rss | Indicates the state of the RSS action. |
| action.rss.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.rss.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.rss.maxresults | Sets the maximum number of search results sent using alerts. |
| action.rss.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted.
Valid values are Integer[m |s |h |d]. |
| action.rss.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.rss.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| action.script | Indicates the state of the script for this action. |
| action.script.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.script.filename | File name of the script to call. Required if script action is enabled |
| action.script.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.script.maxresults | Sets the maximum number of search results sent using alerts. |
| action.script.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. |
| action.script.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.script.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| action.summary_index | Indicates the state of the summary index. |
| action.summary_index._name | Specifies the name of the summary index where the results of the scheduled search are saved.
Defaults to "summary." |
| action.summary_index.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.summary_index.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.summary_index.inline | Determines whether to execute the summary indexing action as part of the scheduled search.
Note: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always). |
| action.summary_index.maxresults | Sets the maximum number of search results sent using alerts. |
| action.summary_index.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
Valid values are: Integer[m|s|h|d] |
| action.summary_index.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.summary_index.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| actions | Actions triggerd by this alert. |
| alert.digest_mode | Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result. |
| alert.expires | Sets the period of time to show the alert in the dashboard. Defaults to 24h.
Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. Valid values: [number][time-unit] |
| alert.severity | Valid values: (1 | 2 | 3 | 4 | 5 | 6)
Sets the alert severity level. Valid values are:
|
| alert.suppress | Indicates whether alert suppression is enabled for this schedules search. |
| alert.suppress.fields | Fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled. |
| alert.suppress.period | Specifies the suppresion period. Only valid if alert.supress is enabled.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.track | Specifies whether to track the actions triggered by this scheduled search.
auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc |
| alert_condition | A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. Note: If you specify an alert_condition, do not set counttype, relation, or quantity. |
| alert_threshold | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." |
| alert_type | What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources |
| args.* | Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$. |
| auto_summarize | Indicates whether the scheduler should ensure that the data for this search is automatically summarized. |
| auto_summarize.command | A search template that constructs the auto summarization for this search.
Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches. |
| auto_summarize.cron_schedule | Cron schedule that probes and generates the summaries for this saved search. |
| auto_summarize.dispatch.earliest_time | A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time. |
| auto_summarize.dispatch.latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time. |
| auto_summarize.dispatch.time_format | Time format used to specify the earliest and latest times. |
| auto_summarize.dispatch.ttl | Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| auto_summarize.max_disabled_buckets | The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. |
| auto_summarize.max_summary_ratio | The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.
Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size. |
| auto_summarize.max_summary_size | The minimum summary size, in bytes, before testing whether the summarization is helpful. |
| auto_summarize.max_time | Maximum time (in seconds) that the summary search is allowed to run.
Note: This is an approximate time. The summary search stops at clean bucket boundaries. |
| auto_summarize.suspend_period | Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful. |
| auto_summarize.timespan | The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available.
For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d. |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of this saved search. Defaults to empty string. |
| disabled | Indicates if this saved search is disabled. |
| dispatch.* | * represents any custom dispatch field. |
| dispatch.buckets | The maximum nuber of timeline buckets. |
| dispatch.earliest_time | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.indexedRealtime | Indicates whether to used indexed-realtime mode when doing real-time searches. |
| dispatch.latest_time | A time string that specifies the latest time for the aved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.lookups | Indicates if lookups are enabled for this search. |
| dispatch.max_count | The maximum number of results before finalizing the search. |
| dispatch.max_time | Indicates the maximum amount of time (in seconds) before finalizing the search. |
| dispatch.reduce_freq | Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values. |
| dispatch.rt_backfill | Indicates whether to back fill the real time window for this search. Parameter valid only if this is a real time search |
| dispatch.spawn_process | Indicates whether Splunk Enterprise spawns a new search process when this saved search is executed. |
| dispatch.time_format | Time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| dispatch.ttl | Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| displayview | Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| is_visible | Indicates if this saved search appears in the visible saved search list. |
| max_concurrent | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| next_scheduled_time | The time when the scheduler runs this search again. |
| qualifiedSearch | The exact search string that the scheduler would run. |
| realtime_schedule | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0). |
| request.ui_dispatch_app | A field used by Splunk Web to denote the app this search should be dispatched in. |
| request.ui_dispatch_view | Specifies a field used by Splunk Web to denote the view this search should be displayed in. |
| restart_on_searchpeer_add | Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
Note: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| search | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. |
| vsid | The viewstate id associated with the UI view listed in 'displayview'.
Matches to a stanza in viewstates.conf. |
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}
Authentication: Not required
Manage the {name} saved search.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete this saved search. | XML, JSON |
| GET | Get information on this saved search. | XML, JSON |
| POST | Updates this saved search | XML, JSON |
saved/searches/{name} method detailNone
None
saved/searches/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| earliest_time | String | If the search is scheduled display scheduled times starting from this time | |
| latest_time | String | If the search is scheduled display scheduled times ending at this time | |
| listDefaultActionArgs | Boolean | Indicates whether to list default actions. |
| Name | Description |
|---|---|
| action.email | Indicates the state of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.bcc | BCC email address to use if action.email is enabled. |
| action.email.cc | CC email address to use if action.email is enabled. |
| action.email.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.email.format | Specify the format of text in the email. This value also applies to any attachments.
Valid values: (plain | html | raw | csv) |
| action.email.from | Email address from which the email action originates. |
| action.email.hostname | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. Note: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost." When set to empty, default behavior is used. |
| action.email.inline | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. |
| action.email.mailserver | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). |
| action.email.maxresults | Sets the global maximum number of search results to send when email.action is enabled. |
| action.email.maxtime | Specifies the maximum amount of time the execution of an email action takes before the action is aborted. |
| action.email.preprocess_results | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. |
| action.email.reportPaperOrientation | Specifies the paper orientation: portrait or landscape. |
| action.email.reportPaperSize | Specifies the paper size for PDFs. Defaults to letter.
Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5) |
| action.email.reportServerEnabled | Not supported. |
| action.email.reportServerURL | Not supported. |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. |
| action.email.subject | Specifies an email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.email.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| action.email.use_ssl | Indicates whether to use SSL when communicating with the SMTP server. |
| action.email.use_tls | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). |
| action.populate_lookup | The state of the populate lookup action. |
| action.populate_lookup.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.populate_lookup.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.populate_lookup.maxresults | The maximum number of search results sent using alerts. |
| action.populate_lookup.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
Valid values are: Integer[m|s|h|d] |
| action.populate_lookup.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.populate_lookup.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p] |
| action.rss | The state of the RSS action. |
| action.rss.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.rss.hostname | Sets the hostname used in the web link (url) sent in alert actions. |
| action.rss.maxresults | Sets the maximum number of search results sent using alerts. |
| action.rss.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m. |
| action.rss.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.rss.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| action.script | The state of the script action. |
| action.script.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.script.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)
|
| action.script.maxresults | The maximum number of search results sent using alerts. |
| action.script.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. |
| action.script.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.script.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| action.summary_index | The state of the summary index action. |
| action.summary_index._name | Specifies the name of the summary index where the results of the scheduled search are saved.
Defaults to "summary." |
| action.summary_index.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.summary_index.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.summary_index.inline | Determines whether to execute the summary indexing action as part of the scheduled search.
Note: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always). |
| action.summary_index.maxresults | Sets the maximum number of search results sent using alerts. |
| action.summary_index.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. |
| action.summary_index.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.summary_index.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| alert.digest_mode | Specifies whether Splunk Enterprise applies the alert actions to the entire result set or on each individual result. |
| alert.expires | Sets the period of time to show the alert in the dashboard. Defaults to 24h. |
| alert.severity | Valid values: (1 | 2 | 3 | 4 | 5 | 6)
Sets the alert severity level. Valid values are:
|
| alert.suppress | Indicates whether alert suppression is enabled for this schedules search. |
| alert.suppress.period | Specifies the suppresion period. Only valid if alert.supress is enabled.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.track | Specifies whether to track the actions triggered by this scheduled search.
auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | One of the following strings:
Used with alert_threshold to trigger alert actions. |
| alert_condition | A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. |
| alert_threshold | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." |
| alert_type | What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources. |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of this saved search. |
| disabled | Indicates if this saved search is disabled. |
| dispatch.buckets | The maximum nuber of timeline buckets. |
| dispatch.earliest_time | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.lookups | Indicates if lookups are enabled for this search. |
| dispatch.max_count | The maximum number of results before finalizing the search. |
| dispatch.max_time | Indicates the maximum amount of time (in seconds) before finalizing the search. |
| dispatch.reduce_freq | Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values. |
| dispatch.spawn_process | Indicates whether Splunk Enterprise spawns a new search process when this saved search is executed. |
| dispatch.time_format | A time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| dispatch.ttl | Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| displayview | Defines the default Splunk Web view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions. |
| earliest_time | For scheduled searches display all the scheduled times starting from this time. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| is_visible | Indicates if this saved search appears in the visible saved search list. |
| latest_time | For scheduled searches display all the scheduled times until this time (not just the next run time). |
| listDefaultActionArgs | List default values of actions.*, even though some of the actions may not be specified in the saved search. |
| max_concurrent | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| next_scheduled_time | The time when the scheduler runs this search again. |
| qualifiedSearch | The exact search command for this saved search. |
| realtime_schedule | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. See the POST parameter for this attribute for details. |
| request.ui_dispatch_app | A field used by Splunk Web to denote the app this search should be dispatched in. |
| request.ui_dispatch_view | Specifies a field used by Splunk Web to denote the view this search should be displayed in. |
| restart_on_searchpeer_add | Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
Note: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| search | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. |
| vsid | Defines the viewstate id associated with the UI view listed in 'displayview'.
Must match up to a stanza in viewstates.conf. |
saved/searches/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| action.* | String | Wildcard argument for any action.
Use this parameter to specify specific action arguments. For example, to specify the email recipients for action.email.to. | |
| action.email | Boolean | 0 | The state of the email action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.email.auth_password | String | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. | |
| action.email.auth_username | String | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
NOTE: Your SMTP server might reject unauthenticated emails. | |
| action.email.bcc | String | BCC email address to use if action.email is enabled. | |
| action.email.cc | String | CC email address to use if action.email is enabled. | |
| action.email.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.email.format | Enum | Valid values: (plain | html | raw | csv)
Specify the format of text in the email. This value also applies to any attachments. | |
| action.email.from | String | Email address from which the email action originates.
Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf. | |
| action.email.hostname | String | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. | |
| action.email.inline | Boolean | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. | |
| action.email.mailserver | String | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). | |
| action.email.maxresults | Number | Sets the global maximum number of search results to send when email.action is enabled.
Defaults to 100. | |
| action.email.maxtime | Number | Valid values are Integer[m|s|h|d].
Specifies the maximum amount of time the execution of an email action takes before the action is aborted. Defaults to 5m. | |
| action.email.pdfview | String | The name of the view to deliver if sendpdf is enabled | |
| action.email.preprocess_results | String | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. | |
| action.email.reportCIDFontList | Enum | Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.
If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used. To skip loading any CID fonts, specify the empty string. Defaults to "gb cns jp kor" | |
| action.email.reportIncludeSplunkLogo | Boolean | Indicates whether to include the Splunk logo with the report. | |
| action.email.reportPaperOrientation | Enum | Valid values: (portrait | landscape)
Specifies the paper orientation: portrait or landscape. Defaults to portrait. | |
| action.email.reportPaperSize | Enum | Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5)
Specifies the paper size for PDFs. Defaults to letter. | |
| action.email.reportServerEnabled | Boolean | Not supported. | |
| action.email.reportServerURL | String | Not supported. | |
| action.email.sendpdf | Boolean | Indicates whether to create and send the results as a PDF. Defaults to false. | |
| action.email.sendresults | Boolean | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. | |
| action.email.subject | String | Specifies an alternate email subject.
Defaults to SplunkAlert-<savedsearchname>. | |
| action.email.to | String | A comma or semicolon separated list of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. | |
| action.email.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.email.ttl | Number | Valid values are Integer[p].
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.email.use_ssl | Boolean | Indicates whether to use SSL when communicating with the SMTP server.
Defaults to false. | |
| action.email.use_tls | Boolean | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls).
Defaults to false. | |
| action.email.width_sort_columns | Boolean | Indicates whether columns should be sorted from least wide to most wide, left to right.
Only valid if format=text. | |
| action.populate_lookup | Boolean | 0 | The state of the populate lookup action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.populate_lookup.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.populate_lookup.dest | String | Lookup name of path of the lookup to populate | |
| action.populate_lookup.hostname | String | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.populate_lookup.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.populate_lookup.maxtime | Number | Valid values are: Integer[m|s|h|d]
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. | |
| action.populate_lookup.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.populate_lookup.ttl | Number | Valid values are Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p. If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.rss | Boolean | 0 | The state of the rss action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.rss.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.rss.hostname | String | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.rss.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.rss.maxtime | Number | Valid values are Integer[m|s|h|d].
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m. | |
| action.rss.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.rss.ttl | Number | Valid values are: Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.script | Boolean | 0 | The state of the script action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions. |
| action.script.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.script.filename | String | File name of the script to call. Required if script action is enabled | |
| action.script.hostname | String | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.script.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.script.maxtime | Number | Valid values are: Integer[m|s|h|d]
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. | |
| action.script.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.script.ttl | Number | Valid values are: Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes). If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| action.summary_index | Boolean | 0 | The state of the summary index action. Read-only attribute. Value ignored on POST. Use actions to specify a list of enabled actions.
Defaults to 0 |
| action.summary_index._name | String | Specifies the name of the summary index where the results of the scheduled search are saved.
Defaults to "summary." | |
| action.summary_index.command | String | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. | |
| action.summary_index.hostname | String | Sets the hostname used in the web link (url) sent in summary-index alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. | |
| action.summary_index.inline | Boolean | Determines whether to execute the summary indexing action as part of the scheduled search.
NOTE: This option is considered only if the summary index action is enabled and is always executed (in other words, if Defaults to true | |
| action.summary_index.maxresults | Number | Sets the maximum number of search results sent using alerts. Defaults to 100. | |
| action.summary_index.maxtime | Number | Valid values are: Integer[m|s|h|d]
Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m. | |
| action.summary_index.track_alert | Boolean | Indicates whether the execution of this action signifies a trackable alert. | |
| action.summary_index.ttl | Number | Valid values are: Integer[p]
Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p. If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. | |
| actions | String | A comma-separated list of actions to enable.
For example: rss,email | |
| alert.digest_mode | Boolean | 1 | Specifies whether Splunk Enterprise applies the alert actions to the entire result set or on each individual result.
Defaults to true. |
| alert.expires | Number | 24h | Valid values: [number][time-unit]
Sets the period of time to show the alert in the dashboard. Defaults to 24h. Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.severity | Enum | 3 | Valid values: (1 | 2 | 3 | 4 | 5 | 6)
Sets the alert severity level. Valid values are: 1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL |
| alert.suppress | Boolean | Indicates whether alert suppression is enabled for this scheduled search. | |
| alert.suppress.fields | String | Comma delimited list of fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled. | |
| alert.suppress.period | Number | Valid values: [number][time-unit]
Specifies the suppresion period. Only valid if Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. | |
| alert.track | Enum | auto | Valid values: (true | false | auto)
Specifies whether to track the actions triggered by this scheduled search. auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | String | One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc
Used with alert_threshold to trigger alert actions. | |
| alert_condition | String | Contains a conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. NOTE: If you specify an alert_condition, do not set counttype, relation, or quantity. | |
| alert_threshold | Number | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." | |
| alert_type | String | What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources | |
| args.* | String | Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$. | |
| auto_summarize | Boolean | 0 | Indicates whether the scheduler should ensure that the data for this search is automatically summarized. |
| auto_summarize.command | String | summarize override=partial timespan=$auto_summarize.timespan$ max_summary_size=$auto_summarize.max_summary_size$ max_summary_ratio=$auto_summarize.max_summary_ratio$ max_disabled_buckets=$auto_summarize.max_disabled_buckets$ max_time=$auto_summarize.max_time$ [ $search$ ] | A search template that constructs the auto summarization for this search.
Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches. |
| auto_summarize.cron_schedule | String | */10 * * * * | Cron schedule that probes and generates the summaries for this saved search.
The default value corresponds to every ten hours. |
| auto_summarize.dispatch.earliest_time | String | A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| auto_summarize.dispatch.latest_time | String | A time string that specifies the latest time for summarizing this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| auto_summarize.dispatch.time_format | String | %FT%T.%Q%:z | Defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| auto_summarize.dispatch.ttl | String | 60 | Valid values: Integer[p]
Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. |
| auto_summarize.max_disabled_buckets | Number | 2 | The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. |
| auto_summarize.max_summary_ratio | Number | 0.1 | The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.
Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size. |
| auto_summarize.max_summary_size | Number | 52428800 | The minimum summary size, in bytes, before testing whether the summarization is helpful.
The default value is equivalent to 5MB. |
| auto_summarize.max_time | Number | 3600 | Maximum time (in seconds) that the summary search is allowed to run.
Note: This is an approximate time. The summary search stops at clean bucket boundaries. |
| auto_summarize.suspend_period | String | 24h | Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful. |
| auto_summarize.timespan | String | The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available. Specify a comma delimited list of time specifiers.
For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d. | |
| cron_schedule | String | Valid values: cron string
The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes. cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. | |
| description | String | Human-readable description of this saved search. Defaults to empty string. | |
| disabled | Boolean | 0 | Indicates if the saved search is enabled.
Disabled saved searches are not visible in Splunk Web. |
| dispatch.* | String | Wildcard argument that accepts any dispatch related argument. | |
| dispatch.buckets | Number | 0 | The maximum number of timeline buckets. |
| dispatch.earliest_time | String | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| dispatch.indexedRealtime | Boolean | Indicates whether to used indexed-realtime mode when doing real-time searches. | |
| dispatch.latest_time | String | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. | |
| dispatch.lookups | Boolean | 1 | Enables or disables the lookups for this search. |
| dispatch.max_count | Number | 500000 | The maximum number of results before finalizing the search. |
| dispatch.max_time | Number | 0 | Indicates the maximum amount of time (in seconds) before finalizing the search. |
| dispatch.reduce_freq | Number | 10 | Specifies, in seconds, how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values. |
| dispatch.rt_backfill | Boolean | 0 | Whether to back fill the real time window for this search. Parameter valid only if this is a real time search |
| dispatch.spawn_process | Boolean | 1 | Specifies whether Splunk Enterprise spawns a new search process when this saved search is executed.
Searches against indexes must run in a separate process. |
| dispatch.time_format | String | %FT%T.%Q%:z | A time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| dispatch.ttl | Number | 2p | Valid values: Integer[p]
Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered. If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| displayview | String | Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions. | |
| is_scheduled | Boolean | Whether this search is to be run on a schedule | |
| is_visible | Boolean | 1 | Specifies whether this saved search should be listed in the visible saved search list. |
| max_concurrent | Number | 1 | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| next_scheduled_time | String | Read-only attribute. Value ignored on POST. There are some old clients who still send this value | |
| qualifiedSearch | String | Read-only attribute. Value ignored on POST. Splunk computes this value during runtime. | |
| realtime_schedule | Boolean | 1 | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0). |
| request.ui_dispatch_app | String | Specifies a field used by Splunk Web to denote the app this search should be dispatched in. | |
| request.ui_dispatch_view | String | Specifies a field used by Splunk Web to denote the view this search should be displayed in. | |
| restart_on_searchpeer_add | Boolean | 1 | Specifies whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
NOTE: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Boolean | 0 | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| search | String | The search to save. | |
| vsid | String | Defines the viewstate id associated with the UI view listed in 'displayview'.
Must match up to a stanza in viewstates.conf. |
| Name | Description |
|---|---|
| action.* | * represents any custom action. |
| action.email | Indicates the state of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.bcc | BCC email address to use if action.email is enabled. |
| action.email.cc | CC email address to use if action.email is enabled. |
| action.email.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.email.format | Specify the format of text in the email. This value also applies to any attachments.<
Valid values: (plain | html | raw | csv) |
| action.email.from | Email address from which the email action originates.
Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf. |
| action.email.hostname | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. |
| action.email.inline | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. |
| action.email.mailserver | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). |
| action.email.maxresults | A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. Note: If you specify an alert_condition, do not set counttype, relation, or quantity. |
| action.email.maxtime | Specifies the maximum amount of time the execution of an email action takes before the action is aborted. |
| action.email.pdfview | The name of the view to deliver if sendpdf is enabled |
| action.email.preprocess_results | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. |
| action.email.reportCIDFontList | Space-separated list. Specifies the set (and load order) of CID fonts for handling Simplified Chinese(gb), Traditional Chinese(cns), Japanese(jp), and Korean(kor) in Integrated PDF Rendering.
If multiple fonts provide a glyph for a given character code, the glyph from the first font specified in the list is used. To skip loading any CID fonts, specify the empty string. Default value: "gb cns jp kor" |
| action.email.reportIncludeSplunkLogo | Indicates whether to include the Splunk logo with the report. |
| action.email.reportPaperOrientation | Specifies the paper orientation: portrait or landscape. |
| action.email.reportPaperSize | Specifies the paper size for PDFs. Defaults to letter.
Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5) |
| action.email.reportServerEnabled | Not supported. |
| action.email.reportServerURL | Not supported. |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. |
| action.email.subject | Specifies an email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.email.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| action.email.use_ssl | Indicates whether to use SSL when communicating with the SMTP server. |
| action.email.use_tls | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). |
| action.email.width_sort_columns | Indicates whether columns should be sorted from least wide to most wide, left to right.
Only valid if format=text. |
| action.populate_lookup | Indicates the state of the populate lookup action. |
| action.populate_lookup.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.populate_lookup.dest | Lookup name of path of the lookup to populate. |
| action.populate_lookup.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.populate_lookup.maxresults | The maximum number of search results sent using alerts. |
| action.populate_lookup.maxtime | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.populate_lookup.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.populate_lookup.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, then this specifies the number of scheduled periods. Defaults to 10p.
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p] |
| action.rss | Indicates the state of the RSS action. |
| action.rss.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.rss.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.rss.maxresults | Sets the maximum number of search results sent using alerts. |
| action.rss.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 1m. |
| action.rss.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.rss.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| action.script | Indicates the state of the script for this action. |
| action.script.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.script.filename | File name of the script to call. Required if script action is enabled |
| action.script.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com)
|
| action.script.maxresults | Sets the maximum number of search results sent using alerts. |
| action.script.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. |
| action.script.track_alert | Specifies the name of the summary index where the results of the scheduled search are saved.
Defaults to "summary." |
| action.script.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 600 (10 minutes).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| action.summary_index | Indicates the state of the summary index. |
| action.summary_index._name | Specifies the name of the summary index where the results of the scheduled search are saved.
Defaults to "summary." |
| action.summary_index.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.summary_index.hostname | Sets the hostname used in the web link (url) sent in alert actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) See action.email.hostname for details. |
| action.summary_index.inline | Determines whether to execute the summary indexing action as part of the scheduled search.
Note: This option is considered only if the summary index action is enabled and is always executed (in other words, if counttype = always). |
| action.summary_index.maxresults | Sets the maximum number of search results sent using alerts. |
| action.summary_index.maxtime | Sets the maximum amount of time the execution of an action takes before the action is aborted. Defaults to 5m.
Valid values are: Integer[m|s|h|d] |
| action.summary_index.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.summary_index.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows Integer, specifies the number of scheduled periods. Defaults to 10p.
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are: Integer[p] |
| actions | Actions to enable. |
| alert.digest_mode | Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result. |
| alert.expires | Sets the period of time to show the alert in the dashboard. Defaults to 24h.
Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. Valid values: [number][time-unit] |
| alert.severity | Valid values: (1 | 2 | 3 | 4 | 5 | 6)
Sets the alert severity level. Valid values are:
|
| alert.suppress | Indicates whether alert suppression is enabled for this schedules search. |
| alert.suppress.fields | Fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled. |
| alert.suppress.period | Specifies the suppresion period. Only valid if alert.supress is enabled.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.track | Specifies whether to track the actions triggered by this scheduled search.
auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | One of the following strings: greater than, less than, equal to, rises by, drops by, rises by perc, drops by perc
Used with alert_threshold to trigger alert actions. |
| alert_condition | A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. Note: If you specify an alert_condition, do not set counttype, relation, or quantity. |
| alert_threshold | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." |
| alert_type | What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources. |
| args.* | Wildcard argument that accepts any saved search template argument, such as args.username=foobar when the search is search $username$. |
| auto_summarize | Indicates whether the scheduler should ensure that the data for this search is automatically summarized. |
| auto_summarize.command | A search template that constructs the auto summarization for this search.
Caution: Advanced feature. Do not change unless you understand the architecture of auto summarization of saved searches. |
| auto_summarize.cron_schedule | Cron schedule that probes and generates the summaries for this saved search.
The default value corresponds to every ten hours. |
| auto_summarize.dispatch.earliest_time | A time string that specifies the earliest time for summarizing this search. Can be a relative or absolute time. |
| auto_summarize.dispatch.latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time. |
| auto_summarize.dispatch.time_format | Defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| auto_summarize.dispatch.ttl | Indicates the time to live (in seconds) for the artifacts of the summarization of the scheduled search. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| auto_summarize.max_disabled_buckets | The maximum number of buckets with the suspended summarization before the summarization search is completely stopped, and the summarization of the search is suspended for auto_summarize.suspend_period. |
| auto_summarize.max_summary_ratio | The maximum ratio of summary_size/bucket_size, which specifies when to stop summarization and deem it unhelpful for a bucket.
Note: The test is only performed if the summary size is larger than auto_summarize.max_summary_size. |
| auto_summarize.max_summary_size | The minimum summary size, in bytes, before testing whether the summarization is helpful. |
| auto_summarize.max_time | Maximum time (in seconds) that the summary search is allowed to run.
Note: This is an approximate time. The summary search stops at clean bucket boundaries. |
| auto_summarize.suspend_period | Time specfier indicating when to suspend summarization of this search if the summarization is deemed unhelpful. |
| auto_summarize.timespan | The list of time ranges that each summarized chunk should span. This comprises the list of available granularity levels for which summaries would be available.
For example a timechart over the last month whose granuality is at the day level should set this to 1d. If you need the same data summarized at the hour level for weekly charts, use: 1h,1d. |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of this saved search. |
| disabled | Indicates if the saved search is disnabled.
Disabled saved searches are not visible in Splunk Web. |
| dispatch.* | * represents any custom dispatch field. |
| dispatch.buckets | The maximum nuber of timeline buckets. |
| dispatch.earliest_time | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.indexedRealtime | Indicates whether to used indexed-realtime mode when doing real-time searches. |
| dispatch.latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.lookups | Indicates if lookups are enabled for this search. |
| dispatch.max_count | The maximum number of results before finalizing the search. |
| dispatch.max_time | Indicates the maximum amount of time (in seconds) before finalizing the search. |
| dispatch.reduce_freq | Specifies how frequently Splunk Enterprise should run the MapReduce reduce phase on accumulated map values. |
| dispatch.rt_backfill | Indicates whether to back fill the real time window for this search. Parameter valid only if this is a real time search |
| dispatch.spawn_process | Indicates whether Splunk Enterprise spawns a new search process when this saved search is executed. |
| dispatch.time_format | Time format string that defines the time format that Splunk Enterprise uses to specify the earliest and latest time. |
| dispatch.ttl | Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no actions are triggered.
If an action is triggered Splunk Enterprise changes the ttl to that action ttl. If multiple actions are triggered, Splunk Enterprise applies the maximum ttl to the artifacts. To set the action ttl, refer to alert_actions.conf.spec. If the integer is followed by the letter 'p' Splunk Enterprise interprets the ttl as a multiple of the scheduled search period. |
| displayview | Defines the default UI view name (not label) in which to load the results. Accessibility is subject to the user having sufficient permissions. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| is_visible | Indicates if this saved search appears in the visible saved search list. |
| max_concurrent | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| next_scheduled_time | The time when the scheduler runs this search again. |
| qualifiedSearch | The exact search command for this saved search. |
| realtime_schedule | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0). |
| request.ui_dispatch_app | A field used by Splunk Web to denote the app this search should be dispatched in. |
| request.ui_dispatch_view | Specifies a field used by Splunk Web to denote the view this search should be displayed in. |
| restart_on_searchpeer_add | Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
Note: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| search | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. |
| vsid | Defines the viewstate id associated with the UI view listed in 'displayview'.
Must match up to a stanza in viewstates.conf. |
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}/acknowledge
Authentication: Not required
Acknowledge the {name} saved search alert suppression.
| Method | Description | Formats |
|---|---|---|
| POST | Acknowledge the {name} saved search alert suppression and resume alerting. | XML, JSON |
saved/searches/{name}/acknowledge method detail| Name | Type | Default | Description |
|---|---|---|---|
| key | String | The suppression key used in field-based supression.
For example, in host-based suppression, with data from 5 hosts, the key is the host, as each host could have different suppression expiration times. |
None
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}/dispatch
Authentication: Not required
Dispatch the {name} saved search.
| Method | Description | Formats |
|---|---|---|
| POST | Dispatch the {name} saved search. | XML, JSON |
saved/searches/{name}/dispatch method detail| Name | Type | Default | Description |
|---|---|---|---|
| args.* | Arg values to create a saved search is the saved search is a template search.
For example, specify arg.index_name to create the following search:
| ||
| dispatch.* | String | Any dispatch.* field of the search that needs to be overridden when running the summary search. | |
| dispatch.now | Boolean | Dispatch the search as if the specified time for this parameter was the current time. | |
| force_dispatch | Boolean | Indicates whether to start a new search even if another instance of this search is already running. | |
| now | String | [Deprecated] Use dispatch.now. | |
| trigger_actions | Boolean | Indicates whether to trigger alert actions. |
None
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}/history
Authentication: Not required
List available search jobs created from the {name} saved search.
| Method | Description | Formats |
|---|---|---|
| GET | List available search jobs created from the {name} saved search. | XML, JSON |
saved/searches/{name}/history method detailNone
| Name | Description |
|---|---|
| earliest_time | The earliest time a search job is configured to start. |
| isDone | Indicates if the search has completed. |
| isFinalized | Indicates if the search was finalized (stopped before completion). |
| isRealTimeSearch | Indicates if the search is a real time search. |
| isSaved | Indicates if the search is saved idefinitely. |
| isScheduled | Indicates if the search is a scheduled search. |
| isZombie | Indicates if the process running the search is dead, but with the search not finished. |
| latest_time | The latest time a search job is configured to start. |
| listDefaultActionArgs | List default values of actions.*, even though some of the actions may not be specified in the saved search. |
| ttl | The time to live, or time before the search job expires after it completes. |
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}/reschedule
Authentication: Not required
Get list of scheduled searches.
| Method | Description | Formats |
|---|---|---|
| POST | Get list of scheduled searches. | XML, JSON |
saved/searches/{name}/reschedule method detail| Name | Type | Default | Description |
|---|---|---|---|
| schedule_time | String | The time to next run the search. |
None
If no schedule_time argument is specified, it is assumed that the search should be run as soon as possible.
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}/scheduled_times
Authentication: Not required
Get {name} scheduled saved search time.
| Method | Description | Formats |
|---|---|---|
| GET | Get {name} scheduled saved search time. | XML, JSON |
saved/searches/{name}/scheduled_times method detail| Name | Type | Default | Description |
|---|---|---|---|
| earliest_time required | String | Absolute or relative earliest time | |
| latest_time required | String | Absolute or relative latest time |
| Name | Description |
|---|---|
| action.email | Indicates the state of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.pdfview | The name of the view to deliver if sendpdf is enabled. |
| action.email.subject | Specifies an email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.summary_index | The state of the summary index action. |
| action.summary_index._name | The state of the summary index action. |
| actions | Actions triggerd by this alert. |
| alert.digest_mode | Indicates if Splunk Enterprise applies the alert actions to the entire result set or on each individual result. |
| alert.expires | Sets the period of time to show the alert in the dashboard. Defaults to 24h.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.severity | Valid values: (1 | 2 | 3 | 4 | 5 | 6)
Sets the alert severity level. Valid values are: 1 DEBUG 2 INFO 3 WARN 4 ERROR 5 SEVERE 6 FATAL |
| alert.suppress | Indicates whether alert suppression is enabled for this schedules search. |
| alert.suppress.fields | Fields to use for suppression when doing per result alerting. Required if suppression is turned on and per result alerting is enabled. |
| alert.suppress.period | Specifies the suppresion period. Only valid if alert.supress is enabled.
Use [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| alert.track | Specifies whether to track the actions triggered by this scheduled search.
auto - determine whether to track or not based on the tracking setting of each action, do not track scheduled searches that always trigger actions. true - force alert tracking. false - disable alert tracking for this search. |
| alert_comparator | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." |
| alert_condition | A conditional search that is evaluated against the results of the saved search. Defaults to an empty string.
Alerts are triggered if the specified search yields a non-empty search result list. Note: If you specify an alert_condition, do not set counttype, relation, or quantity. |
| alert_threshold | Valid values are: Integer[%]
Specifies the value to compare (see alert_comparator) before triggering the alert actions. If expressed as a percentage, indicates value to use when alert_comparator is set to "rises by perc" or "drops by perc." |
| alert_type | What to base the alert on, overriden by alert_condition if it is specified. Valid values are: always, custom, number of events, number of hosts, number of sources. |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of the saved search. |
| disabled | Indicates if this saved search is disabled. |
| dispatch.buckets | The maximum number of timeline buckets. |
| dispatch.earliest_time | A time string that specifies the earliest time for this search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| dispatch.lookups | Indicates if lookups are enabled for this search. |
| dispatch.max_count | The maximum number of results before finalizing the search. |
| dispatch.max_time | Indicates the maximum amount of time (in seconds) before finalizing the search |
| earliest_time | For scheduled searches display all the scheduled times starting from this time. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| is_visible | Indicates if this saved search appears in the visible saved search list. |
| latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| listDefaultActionArgs | List default values of actions.*, even though some of the actions may not be specified in the saved search. |
| max_concurrent | The maximum number of concurrent instances of this search the scheduler is allowed to run. |
| next_scheduled_time | The time when the scheduler runs this search again. |
| qualifiedSearch | The exact search command for this saved search. |
| realtime_schedule | Controls the way the scheduler computes the next execution time of a scheduled search. If this value is set to 1, the scheduler bases its determination of the next scheduled search execution time on the current time.
If this value is set to 0, the scheduler bases its determination of the next scheduled search on the last search execution time. This is called continuous scheduling. If set to 0, the scheduler never skips scheduled execution periods. However, the execution of the saved search might fall behind depending on the scheduler load. Use continuous scheduling whenever you enable the summary index option. If set to 1, the scheduler might skip some execution periods to make sure that the scheduler is executing the searches running over the most recent time range. The scheduler tries to execute searches that have realtime_schedule set to 1 before it executes searches that have continuous scheduling (realtime_schedule = 0). |
| request.ui_dispatch_app | A field used by Splunk Web to denote the app this search should be dispatched in. |
| request.ui_dispatch_view | A field used by Splunk Web to denote the app this search should be dispatched in. |
| restart_on_searchpeer_add | Indicates whether to restart a real-time search managed by the scheduler when a search peer becomes available for this saved search.
Note: The peer can be a newly added peer or a peer down and now available. |
| run_on_startup | Indicates whether this search runs when Splunk Enterprise starts. If it does not run on startup, it runs at the next scheduled time.
Splunk recommends that you set run_on_startup to true for scheduled searches that populate lookup tables. |
| scheduled_times | The times when the scheduler runs the search. |
| search | Search expression to filter the response. The response matches field values against the search expression. For example:
search=foo matches any object that has "foo" as a substring in a field. search=field_name%3Dfield_value restricts the match to a single field. URI-encoding is required in this example. |
| vsid | The viewstate id associated with the Splunk Web view listed in 'displayview'.
Matches to a stanza in viewstates.conf. |
Specify a time range for the data returned using earliest_time and latest_time parameters.
[ Top ]
https://<host>:<mPort>/services/saved/searches/{name}/suppress
Authentication: Not required
Get the {name} saved search alert suppression state.
| Method | Description | Formats |
|---|---|---|
| GET | Get the {name} saved search alert suppression state. | XML, JSON |
saved/searches/{name}/suppress method detail| Name | Type | Default | Description |
|---|---|---|---|
| expiration | String | Indicates the time the suppression period expires. | |
| key |
| Name | Description |
|---|---|
| earliest_time | For scheduled searches display all the scheduled times starting from this time. |
| expiration | Sets the period of time to show the alert in the dashboard. Defaults to 24h.
Uses [number][time-unit] to specify a time. For example: 60 = 60 seconds, 1m = 1 minute, 1h = 60 minutes = 1 hour. |
| latest_time | A time string that specifies the latest time for this saved search. Can be a relative or absolute time.
If this value is an absolute time, use the dispatch.time_format to format the value. |
| listDefaultActionArgs | List default values of actions.*, even though some of the actions may not be specified in the saved search. |
| suppressed | Indicates if alert suppression is enabled for this search. |
| suppressionKey | A combination of all the values of the suppression fields (or the combinations MD5), if fields were specified. |
[ Top ]
https://<host>:<mPort>/services/scheduled/views
Authentication: Not required
Allows for management of scheduled (for pdf delivery) views. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view.
| Method | Description | Formats |
|---|---|---|
| GET | Lists all scheduled view objects. | XML, JSON |
scheduled/views method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| action.email | Indicates the state of the email action. |
| action.email.pdfview | Name of the view to send as a PDF. |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether the search results are included in the email. The results can be attached or inline. |
| action.email.to | List of recipient email addresses. Required if the email alert action is enabled. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| cron_schedule | The cron schedule to use for delivering the view. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view
For example: */5 * * * * causes the search to execute every 5 minutes. cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. |
| description | Description of this scheduled view object. |
| disabled | Indicates if the scheduled view is disabled. |
| is_scheduled | Indicates if PDF delivery of this view is scheduled. |
| next_scheduled_time | The next time when the view is delivered. |
[ Top ]
https://<host>:<mPort>/services/scheduled/views/{name}
Authentication: Not required
Manage the {name} scheduled view.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete a scheduled view. | XML, JSON |
| GET | List the {name} scheduled view object. | XML, JSON |
| POST | Modify the {name} scheduled view. | XML, JSON |
scheduled/views/{name} method detailNone
None
scheduled/views/{name} method detailNone
| Name | Description |
|---|---|
| action.email | Indicates the sate of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here and it is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.bcc | "BCC email address to use if action.email is enabled. |
| action.email.cc | CC email address to use if action.email is enabled. |
| action.email.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.email.format | Specify the format of text in the email. This value also applies to any attachments.<
Valid values: (plain | html | raw | csv) |
| action.email.from | Email address from which the email action originates.
Defaults to splunk@$LOCALHOST or whatever value is set in alert_actions.conf. |
| action.email.hostname | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. |
| action.email.inline | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. |
| action.email.mailserver | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). |
| action.email.maxresults | Sets the global maximum number of search results to send when email.action is enabled. |
| action.email.maxtime | Specifies the maximum amount of time the execution of an email action takes before the action is aborted. |
| action.email.pdfview | The name of the view to deliver if sendpdf is enabled. |
| action.email.preprocess_results | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. |
| action.email.reportPaperOrientation | Specifies the paper orientation: portrait or landscape. |
| action.email.reportPaperSize | Specifies the paper size for PDFs. Defaults to letter.
Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5) |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. |
| action.email.subject | Specifies the email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.email.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| action.email.use_ssl | Indicates whether to use SSL when communicating with the SMTP server |
| action.email.use_tls | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of this saved search for this view. |
| disabled | Indicates if the saved search for this view is disabled. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| next_scheduled_time | The next time when the view is delivered. |
scheduled/views/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| action.email.to required | String | Comma or semicolon separated list of email addresses to send the view to | |
| action.email* | String | Wildcard argument that accepts any email action. | |
| cron_schedule required | String | The cron schedule to use for delivering the view. Scheduled views are dummy/noop scheduled saved searches that email a pdf version of a view.
For example: */5 * * * * causes the search to execute every 5 minutes. cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. | |
| description | String | User readable description of this scheduled view object | |
| disabled | Boolean | 0 | Whether this object is enabled or disabled |
| is_scheduled required | Boolean | Whether this pdf delivery should be scheduled | |
| next_scheduled_time | String | The next time when the view is delivered. Ignored on edit, here only for backwards compatability. |
| Name | Description |
|---|---|
| action.email | Indicates the status of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.bcc | BCC email address to use if action.email is enabled. |
| action.email.cc | CC email address to use if action.email is enabled. |
| action.email.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.email.format | Specify the format of text in the email. This value also applies to any attachments.<
Valid values: (plain | html | raw | csv) |
| action.email.from | Email address from which the email action originates |
| action.email.hostname | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. |
| action.email.inline | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. |
| action.email.mailserver | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). |
| action.email.maxresults | Sets the maximum number of search results sent using alerts. |
| action.email.maxtime | Specifies the maximum amount of time the execution of an email action takes before the action is aborted. |
| action.email.pdfview | The name of the view to deliver if sendpdf is enabled. |
| action.email.preprocess_results | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. |
| action.email.reportPaperOrientation | Specifies the paper orientation: portrait or landscape. |
| action.email.reportPaperSize | Specifies the paper size for PDFs. Defaults to letter.
Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5) |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. |
| action.email.subject | Specifies an email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.email.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| action.email.use_ssl | Indicates whether to use SSL when communicating with the SMTP server. |
| action.email.use_tls | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of the saved search for this view. |
| disabled | Indicates if the saved search for this view is disabled. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| next_scheduled_time | The next time when the view is delivered. |
[ Top ]
https://<host>:<mPort>/services/scheduled/views/{name}/dispatch
Authentication: Not required
Dispatch the scheduled search associated with the {name} scheduled view.
| Method | Description | Formats |
|---|---|---|
| POST | Dispatch the scheduled search associated with the {name} scheduled view. | XML, JSON |
scheduled/views/{name}/dispatch method detail| Name | Type | Default | Description |
|---|---|---|---|
| args.* | String | Wildcard argument that accepts any saved search template argument, such as arg.username=foobar when the search is search $username$. | |
| dispatch.* | String | Wildcard argument that accepts any dispatch related argument. | |
| dispatch.now | Boolean | Dispatch the search as if the specified time for this parameter was the current time. | |
| force_dispatch | Boolean | Indicates whether to start a new search even if another instance of this search is already running. | |
| now | String | [Deprecated] Use dispatch.now. | |
| trigger_actions | Boolean | Indicates whether to trigger alert actions |
None
[ Top ]
https://<host>:<mPort>/services/scheduled/views/{name}/history
Authentication: Not required
Get a list of search jobs used to render the {name} scheduled view.
| Method | Description | Formats |
|---|---|---|
| GET | Get a list of search jobs used to render the {name} scheduled view. | XML, JSON |
scheduled/views/{name}/history method detailNone
None
[ Top ]
https://<host>:<mPort>/services/scheduled/views/{name}/reschedule
Authentication: Not required
Schedule when to deliver a PDF of the view.
| Method | Description | Formats |
|---|---|---|
| POST | Schedule when to deliver a PDF of the view. | XML, JSON |
scheduled/views/{name}/reschedule method detail| Name | Type | Default | Description |
|---|---|---|---|
| schedule_time | String | Absolute or relative schedule time. |
None
If schedule_time is not specified, then it is assumed that the delivery should occur as soon as possible.
[ Top ]
https://<host>:<mPort>/services/scheduled/views/{name}/scheduled_times
Authentication: Not required
Get scheduled view times.
| Method | Description | Formats |
|---|---|---|
| GET | Get scheduled view times. | XML, JSON |
scheduled/views/{name}/scheduled_times method detail| Name | Type | Default | Description |
|---|---|---|---|
| earliest_time | String | Absolute or relative earliest time | |
| latest_time | String | Absolute or relative latest time |
| Name | Description |
|---|---|
| action.email | Indicates the state of the email action. |
| action.email.auth_password | The password to use when authenticating with the SMTP server. Normally this value is set when editing the email settings, however you can set a clear text password here that is encrypted on the next Splunk Enterprise restart.
Defaults to empty string. |
| action.email.auth_username | The username to use when authenticating with the SMTP server. If this is empty string, no authentication is attempted. Defaults to empty string.
Note: Your SMTP server might reject unauthenticated emails. |
| action.email.bcc | BCC email address to use if action.email is enabled. |
| action.email.cc | CC email address to use if action.email is enabled. |
| action.email.command | The search command (or pipeline) which is responsible for executing the action.
Generally the command is a template search pipeline which is realized with values from the saved search. To reference saved search field values wrap them in $, for example to reference the savedsearch name use $name$, to reference the search use $search$. |
| action.email.format | Specify the format of text in the email. This value also applies to any attachments.<
Valid values: (plain | html | raw | csv) |
| action.email.from | Email address from which the email action originates. |
| action.email.hostname | Sets the hostname used in the web link (url) sent in email actions.
This value accepts two forms: hostname (for example, splunkserver, splunkserver.example.com) protocol://hostname:port (for example, http://splunkserver:8000, https://splunkserver.example.com:443) When this value is a simple hostname, the protocol and port which are configured within splunk are used to construct the base of the url. When this value begins with 'http://', it is used verbatim. NOTE: This means the correct port must be specified if it is not the default port for http or https. This is useful in cases when the Splunk Enterprise server is not aware of how to construct an externally referencable url, such as SSO environments, other proxies, or when the Splunk Enterprise server hostname is not generally resolvable. Defaults to current hostname provided by the operating system, or if that fails "localhost". When set to empty, default behavior is used. |
| action.email.inline | Indicates whether the search results are contained in the body of the email.
Results can be either inline or attached to an email. See action.email.sendresults. |
| action.email.mailserver | Set the address of the MTA server to be used to send the emails.
Defaults to <LOCALHOST> (or whatever is set in alert_actions.conf). |
| action.email.maxresults | Sets the maximum number of search results sent using alerts. |
| action.email.maxtime | Specifies the maximum amount of time the execution of an email action takes before the action is aborted. |
| action.email.pdfview | The name of the view to deliver if sendpdf is enabled. |
| action.email.preprocess_results | Search string to preprocess results before emailing them. Defaults to empty string (no preprocessing).
Usually the preprocessing consists of filtering out unwanted internal fields. |
| action.email.reportPaperOrientation | Specifies the paper orientation: portrait or landscape. |
| action.email.reportPaperSize | Specifies the paper size for PDFs. Defaults to letter.
Valid values: (letter | legal | ledger | a2 | a3 | a4 | a5) |
| action.email.reportServerEnabled | Not supported. |
| action.email.reportServerURL | Not supported. |
| action.email.sendpdf | Indicates whether to create and send the results as a PDF. |
| action.email.sendresults | Indicates whether to attach the search results in the email.
Results can be either attached or inline. See action.email.inline. |
| action.email.subject | Specifies an email subject.
Defaults to SplunkAlert-<savedsearchname>. |
| action.email.to | List of recipient email addresses. Required if this search is scheduled and the email alert action is enabled. |
| action.email.track_alert | Indicates whether the execution of this action signifies a trackable alert. |
| action.email.ttl | Specifies the minimum time-to-live in seconds of the search artifacts if this action is triggered. If p follows <Integer>, int is the number of scheduled periods. Defaults to 86400 (24 hours).
If no actions are triggered, the artifacts have their ttl determined by dispatch.ttl in savedsearches.conf. Valid values are Integer[p]. |
| action.email.use_ssl | Indicates whether to use SSL when communicating with the SMTP server. |
| action.email.use_tls | Indicates whether to use TLS (transport layer security) when communicating with the SMTP server (starttls). |
| action.email.width_sort_columns | Indicates whether columns should be sorted from least wide to most wide, left to right.
Only valid if format=text. |
| cron_schedule | The cron schedule to execute this search. For example: */5 * * * * causes the search to execute every 5 minutes.
cron lets you use standard cron notation to define your scheduled search interval. In particular, cron can accept this type of notation: 00,20,40 * * * *, which runs the search every hour at hh:00, hh:20, hh:40. Along the same lines, a cron of 03,23,43 * * * * runs the search every hour at hh:03, hh:23, hh:43. Splunk recommends that you schedule your searches so that they are staggered over time. This reduces system load. Running all of them every 20 minutes (*/20) means they would all launch at hh:00 (20, 40) and might slow your system every 20 minutes. Valid values: cron string |
| description | Description of the saved search for this view. |
| disabled | Indicates if the saved search for this view is disnabled.
Disabled saved searches are not visible in Splunk Web. |
| is_scheduled | Indicates if this search is to be run on a schedule. |
| next_scheduled_time | The next time when the view is delivered. |
Specify a time range for the data returned using earliest_time and latest_time parameters.
[ Top ]
https://<host>:<mPort>/services/search/jobs
Authentication: Not required
List search jobs.
Refer to Creating searches using the REST API for information on using this endpoint and other search endpoints.
| Method | Description | Formats |
|---|---|---|
| GET | Get details of all current searches. | XML, JSON |
| POST | Starts a new search, returning the search ID (<sid>). | XML, JSON |
search/jobs method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| cursorTime | The earliest time from which no events are later scanned.
Can be used to indicate progress. See description for doneProgress. |
| custom | Custom job property. (See the search/jobs POST request for an example of how to create a custom property.) |
| delegate | For saved searches, specifies jobs that were started by the user. Defaults to scheduler. |
| diskUsage | The total amount of disk space used, in bytes. |
| dispatchState | The state of the search. Can be any of QUEUED, PARSING, RUNNING, PAUSED, FINALIZING, FAILED, DONE. |
| doneProgress | A number between 0 and 1.0 that indicates the approximate progress of the search.
doneProgress = (latestTime â cursorTime) / (latestTime â earliestTime) |
| dropCount | For real-time searches only, the number of possible events that were dropped due to the rt_queue_size (default to 100000). |
| earliestTime | The earliest time a search job is configured to start.
Can be used to indicate progress. See description for doneProgress. |
| eventAvailableCount | The number of events that are available for export. |
| eventCount | The number of events returned by the search. |
| eventFieldCount | The number of fields found in the search results. |
| eventIsStreaming | Indicates if the events of this search are being streamed. |
| eventIsTruncated | Indicates if events of the search are not stored, making them unavailable from the events endpoint for the search. |
| eventSearch | Subset of the entire search that is before any transforming commands. The timeline and events endpoint represents the result of this part of the search. |
| eventSorting | Indicates if the events of this search are sorted, and in which order.
asc = ascending; desc = descending; none = not sorted |
| isDone | Indicates if the search has completed. |
| isFailed | Indicates if there was a fatal error executing the search. For example, invalid search string syntax. |
| isFinalized | Indicates if the search was finalized (stopped before completion). |
| isPaused | Indicates if the search is paused. |
| isPreviewEnabled | Indicates if previews are enabled. |
| isRealTimeSearch | Indicates if the search is a real time search. |
| isRemoteTimeline | Indicates if the remote timeline feature is enabled. |
| isSaved | Indicates that the search job is saved, storing search artifacts on disk for 7 days from the last time that the job was viewed or touched. Add or edit the default_save_ttl value in limits.conf to override the default value of 7 days.
|
| isSavedSearch | Indicates if this is a saved search run using the scheduler. |
| isZombie | Indicates if the process running the search is dead, but with the search not finished. |
| keywords | All positive keywords used by this search. A positive keyword is a keyword that is not in a NOT clause. |
| label | Custom name created for this search. |
| latestTime | The latest time a search job is configured to start.
Can be used to indicate progress. See description for doneProgress. |
| messages | Errors and debug messages. |
| numPreviews | Number of previews generated so far for this search job. |
| performance | A representation of the execution costs. |
| priority | An integer between 0-10 that indicates the search priority.
The priority is mapped to the OS process priority. The higher the number the higher the priority. The priority can be changed using action parameter for POST search/jobs/{search_id}/control. For example, for the action parameter, specify Note: In *nix systems, non-privileged users can only reduce the priority of a process. |
| remoteSearch | The search string that is sent to every search peer. |
| reportSearch | If reporting commands are used, the reporting search. |
| request | GET arguments that the search sends to splunkd. |
| resultCount | The total number of results returned by the search. In other words, this is the subset of scanned events (represented by the scanCount) that actually matches the search terms. |
| resultIsStreaming | Indicates if the final results of the search are available using streaming (for example, no transforming operations). |
| resultPreviewCount | The number of result rows in the latest preview results. |
| runDuration | Time in seconds that the search took to complete. |
| scanCount | The number of events that are scanned or read off disk. |
| searchEarliestTime | Specifies the earliest time for a search, as specified in the search command rather than the earliestTime parameter. It does not snap to the indexed data time bounds for all-time searches (something that earliestTime/latestTime does). |
| searchLatestTime | Specifies the latest time for a search, as specified in the search command rather than the latestTime parameter. It does not snap to the indexed data time bounds for all-time searches (something that earliestTime/latestTime does). |
| searchProviders | A list of all the search peers that were contacted. |
| sid | The search ID number. |
| statusBuckets | Maximum number of timeline buckets. |
| ttl | The time to live, or time before the search job expires after it completes. |
The user ID is implied by the authentication to the call.
Information returned for each entry includes the search job properties, such as eventCount (number of events returned), runDuration (time the search took to complete), and others. The parameters to POST /search/jobs provides details on search job properties when creating a search. Search job properties are also described in Search job properties in the Knowledge Manager Manual.
You can specify optional arguments based on the search job properties to filter the entries returned. For example, specify search=eventCount>100 as an argument to the GET operation to return searches with event counts greater than 100.
The dispatchState property is of particular interest to determine the state of a search, and can contain the following values:
QUEUED
PARSING
RUNNING
PAUSED
FINALIZING
FAILED
DONE
This operation also returns performance information for the search. For more information refer to "View search job properties with the Search Job Inspector" in the Knowledge Manager Manual.
For more information on searches in Splunk Enterprise, refer to the Splunk Search Reference.
search/jobs method detail| Name | Type | Default | Description |
|---|---|---|---|
| auto_cancel | Number | 0 | If specified, the job automatically cancels after this many seconds of inactivity. (0 means never auto-cancel) |
| auto_finalize_ec | Number | 0 | Auto-finalize the search after at least this many events are processed.
Specify |
| auto_pause | Number | 0 | If specified, the search job pauses after this many seconds of inactivity. (0 means never auto-pause.)
To restart a paused search job, specify unpause as an action to POST search/jobs/{search_id}/control. auto_pause only goes into effect once. Unpausing after auto_pause does not put auto_pause into effect again. |
| custom | String | Specify a custom parameter (see example). | |
| earliest_time | String | Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to | |
| enable_lookups | Boolean | true | Indicates whether lookups should be applied to events.
Specifying true (the default) may slow searches significantly depending on the nature of the lookups. |
| exec_mode | Enum | normal | Valid values: (blocking | oneshot | normal)
If set to normal, runs an asynchronous search. If set to blocking, returns the sid when the job is complete. If set to oneshot, returns results in the same call. In this case, you can specify the format for the output (for example, json output) using the output_mode parameter as described in GET search/jobs/export. Default format for output is xml. |
| force_bundle_replication | Boolean | false | Specifies whether this search should cause (and wait depending on the value of sync_bundle_replication) for bundle synchronization with all search peers. |
| id | String | Optional string to specify the search ID (<sid>). If unspecified, a random ID is generated.
| |
| index_earliest | String | Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time bounds.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Compare to Refer to Time modifiers for search for information and examples of specifying a time string. | |
| index_latest | String | Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search, based on the index time bounds.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to | |
| indexedRealtime | Boolean | Indicate whether or not to used indexed-realtime mode for real-time searches. | |
| indexedRealtimeOffset | Number | Set disk sync delay for indexed real-time search (seconds). | |
| latest_time | String | Specify a time string. Sets the latest (exclusive), respectively, time bounds for the search.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. Compare to | |
| max_count | Number | 10000 | The number of events that can be accessible in any given status bucket.
Also, in transforming mode, the maximum number of results to store. Specifically, in all calls, |
| max_time | Number | 0 | The number of seconds to run this search before finalizing. Specify 0 to never finalize.
|
| namespace | String | The application namespace in which to restrict searches.
The namespace corresponds to the identifier recognized in the | |
| now | String | current system time | Specify a time string to set the absolute time used for any relative time specifier in the search. Defaults to the current system time.
You can specify a relative time modifier for this parameter. For example, specify If you specify a relative time modifier both in this parameter and in the search string, the search string modifier takes precedence. Refer to Time modifiers for search for details on specifying relative time modifiers. |
| reduce_freq | Number | 0 | Determines how frequently to run the MapReduce reduce phase on accumulated map values. |
| reload_macros | Boolean | true | Specifies whether to reload macro definitions from macros.conf.
Default is true. |
| remote_server_list | String | empty list | Comma-separated list of (possibly wildcarded) servers from which raw events should be pulled. This same server list is to be used in subsearches. |
| required_field_list | String | empty list | [Deprecated] Use rf.
A comma-separated list of required fields that, even if not referenced or used directly by the search, is still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view. |
| reuse_max_seconds_ago | Number | Specifies the number of seconds ago to check when an identical search is started and return the job's search ID instead of starting a new job. | |
| rf | String | Adds a required field to the search. There can be multiple rf POST arguments to the search.
These fields, even if not referenced or used directly by the search, are still included by the events and summary endpoints. Splunk Web uses these fields to prepopulate panels in the Search view. Consider using this form of passing the required fields to the search instead of the deprecated required_field_list. If both rf and required_field_list are provided, the union of the two lists is used. | |
| rt_blocking | Boolean | false | For a real-time search, indicates if the indexer blocks if the queue for this search is full. |
| rt_indexfilter | Boolean | true | For a real-time search, indicates if the indexer prefilters events. |
| rt_maxblocksecs | Number | 60 | For a real-time search with rt_blocking set to true, the maximum time to block.
Specify |
| rt_queue_size | Number | 10000 events | For a real-time search, the queue size (in events) that the indexer should use for this search. |
| search required | String | The search language string to execute, taking results from the local and remote servers.
Examples:
| |
| search_listener | String | Registers a search state listener with the search.
Use the format: search_state;results_condition;http_method;uri; For example: search_listener=onResults;true;POST;/servicesNS/admin/search/saved/search/foobar/notify; | |
| search_mode | Enum | normal | Valid values: (normal | realtime)
If set to Additionally, if earliest_time and/or latest_time are 'rt' followed by a relative time specifiers then a sliding window is used where the time bounds of the window are determined by the relative time specifiers and are continuously updated based on the wall-clock time. |
| spawn_process | Boolean | true | Specifies whether the search should run in a separate spawned process. Default is true.
Searches against indexes must run in a separate process. |
| status_buckets | Number | 0 | The most status buckets to generate.
|
| sync_bundle_replication | Boolean | Specifies whether this search should wait for bundle replication to complete. | |
| time_format | String | %FT%T.%Q%:z | Used to convert a formatted time string from {start,end}_time into UTC seconds. The default value is the ISO-8601 format. |
| timeout | Number | 86400 | The number of seconds to keep this search after processing has stopped. |
None
Refer to Creating searches using the REST API for information on using this endpoint and other search endpoints.
The search parameter is a search language string that specifies the search. Often you create a search specifying just the search parameter. Use the other parameters to customize a search to specific needs.
Use the returned (<sid>) in the following endpoints to view and manage the search:
search/jobs/{search_id}: View the status of this search job.
search/jobs/{search_id}/control: Execute job control commands, such as pause, cancel, preview, and others.
search/jobs/{search_id}/events: View a set of untransformed events for the search.
search/jobs/{search_id}/results: View results of the search.
search/jobs/{search_id}/results_preview: Preview results of a search that has not completed
search/jobs/{search_id}/search.log: View the log file generated by the search.
search/jobs/{search_id}/summary: View field summary information
search/jobs/{search_id}/timeline: View event distribution over time.
You can also use the custom attribute to create custom job properties (see example).
For more information on searches in Splunk Enterprise, refer to the Splunk Search Reference.
[ Top ]
https://<host>:<mPort>/services/search/jobs/export
Authentication: Not required
Allows for streaming of search results as they become available.
| Method | Description | Formats |
|---|---|---|
| GET | Performs a search identical to POST search/jobs. | XML, JSON |
| POST | Performs a search identical to POST search/jobs. | XML, JSON |
search/jobs/export method detail| Name | Type | Default | Description |
|---|---|---|---|
| auto_cancel | Number | Same as for POST search/jobs. | |
| auto_finalize_ec | Number | Same as for POST search/jobs. | |
| auto_pause | Number | Same as for POST search/jobs. | |
| earliest_time | String | Same as for POST search/jobs. | |
| enable_lookups | Bool | Same as for POST search/jobs. | |
| force_bundle_replication | Bool | Same as for POST search/jobs. | |
| id | String | Same as for POST search/jobs. | |
| index_earliest | String | Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. | |
| index_latest | String | Specify a time string. Sets the latest (inclusive), respectively, time bounds for the search, based on the index time.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. | |
| latest_time | String | Same as for POST search/jobs. | |
| max_time | Number | Same as for POST search/jobs. | |
| namespace | String | Same as for POST search/jobs. | |
| now | String | Same as for POST search/jobs. | |
| output_mode | Enum | xml | Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)
Specifies the format for the returned output. |
| reduce_freq | Number | Same as for POST search/jobs. | |
| reload_macros | Bool | Same as for POST search/jobs. | |
| remote_server_list | String | Same as for POST search/jobs. | |
| required_field_list | String | Same as for POST search/jobs. | |
| rf | String | Same as for POST search/jobs. | |
| rt_blocking | Bool | Same as for POST search/jobs. | |
| rt_indexfilter | Bool | Same as for POST search/jobs. | |
| rt_maxblocksecs | Number | Same as for POST search/jobs. | |
| rt_queue_size | Number | Same as for POST search/jobs. | |
| search required | String | Same as for POST search/jobs. | |
| search_listener | String | Same as for POST search/jobs. | |
| search_mode | Enum | Same as for POST search/jobs. | |
| sync_bundle_replication | Bool | Same as for POST search/jobs. | |
| time_format | String | Same as for POST search/jobs. | |
| timeout | Number | Same as for POST search/jobs. |
None
Performs a search identical to POST search/jobs, except the search does not create a search ID (<sid>) and the search streams results as they become available. Streaming of results is based on the search string.
For non-streaming searches, previews of the final results are available if preview is enabled. If preview is not enabled, it is better to use search/jobs with exec_mode=oneshot.
If it is too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control, which is a better approach for extremely large result sets that need to be chunked.
Example of how to pass a variable to query when using REST API:
This is an example of running a saved search and passing a variable to it. In this case, the variable is host field:
$curl -k -u admin:password https://splunkserver:8089/services/search/jobs/export -d search="savedsearch \ MySavedSearch%20host%3Dwolverine*"
(use "MySavedSearch" and input variable host=wolverine* )
I have a saved search named "MySavedSearch" the query of the search contains:
"index=main $host$ | head 100"
search/jobs/export method detail| Name | Type | Default | Description |
|---|---|---|---|
| search | String | Same as for POST search/jobs. | |
| auto_cancel | Number | Same as for POST search/jobs. | |
| auto_finalize_ec | Number | Same as for POST search/jobs. | |
| auto_pause | Number | Same as for POST search/jobs. | |
| earliest_time | String | Same as for POST search/jobs. | |
| enable_lookups | Bool | Same as for POST search/jobs. | |
| force_bundle_replication | Bool | Same as for POST search/jobs. | |
| id | String | Same as for POST search/jobs. | |
| index_earliest | String | Specify a time string. Sets the earliest (inclusive), respectively, time bounds for the search, based on the index time.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. | |
| index_latest | String | Specify a time string. Sets the latest (inclusive), respectively, time bounds for the search, based on the index time.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. Refer to Time modifiers for search for information and examples of specifying a time string. | |
| latest_time | String | Same as for POST search/jobs. | |
| max_time | Number | Same as for POST search/jobs. | |
| namespace | String | Same as for POST search/jobs. | |
| now | String | Same as for POST search/jobs. | |
| output_mode | Enum | xml | Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)
Specifies the format for the returned output. |
| reduce_freq | Number | Same as for POST search/jobs. | |
| reload_macros | Bool | Same as for POST search/jobs. | |
| remote_server_list | String | Same as for POST search/jobs. | |
| required_field_list | String | Same as for POST search/jobs. | |
| rf | String | Same as for POST search/jobs. | |
| rt_blocking | Bool | Same as for POST search/jobs. | |
| rt_indexfilter | Bool | Same as for POST search/jobs. | |
| rt_maxblocksecs | Number | Same as for POST search/jobs. | |
| rt_queue_size | Number | Same as for POST search/jobs. | |
| search_listener | String | Same as for POST search/jobs. | |
| search_mode | Enum | Same as for POST search/jobs. | |
| sync_bundle_replication | Bool | Same as for POST search/jobs. | |
| time_format | String | Same as for POST search/jobs. | |
| timeout | Number | Same as for POST search/jobs. |
None
except the search does not create a search ID (<sid>) and the search streams results as they become available. Streaming of results is based on the search string.
For non-streaming searches, previews of the final results are available if preview is enabled. If preview is not enabled, it is better to use search/jobs with exec_mode=oneshot.
If it is too big, you might instead run with the search/jobs (not search/jobs/export) endpoint (it takes POST with the same parameters), maybe using the exec_mode=blocking. You'll then get back a search id, and then you can page through the results and request them from the server under your control, which is a better approach for extremely large result sets that need to be chunked.
Example of how to pass a variable to query when using REST API:
This is an example of running a saved search and passing a variable to it. In this case, the variable is host field:
$curl -k -u admin:password https://splunkserver:8089/services/search/jobs/export -d search="savedsearch \ MySavedSearch%20host%3Dwolverine*"
(use "MySavedSearch" and input variable host=wolverine* )
I have a saved search named "MySavedSearch" the query of the search contains:
"index=main $host$ | head 100"
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}
Authentication: Not required
Manage the {search_id} search job.
| Method | Description | Formats |
|---|---|---|
| DELETE | Delete the {search_id} search job. | XML, JSON |
| GET | Get information about the {search_id} search job. | XML, JSON |
| POST | Update the {search_id} search job. | XML, JSON |
search/jobs/{search_id} method detailNone
None
{search_id} is the <sid> field returned from the GET operation for the search/jobs endpoint.
search/jobs/{search_id} method detailNone
None
The user ID is implied by the authentication to the call.
Information returned includes the search job properties, such as eventCount (number of events returned), runDuration (time the search took to complete), and others. The parameters to POST /search/jobs provides details on search job properties when creating a search. Search job properties are also described in "View search job properties with the Search Job Inspector" in the Knowledge Manager Manual.
The dispatchState property is of particular interest to determine the state of a search, and can contain the following values:
QUEUED
PARSING
RUNNING
PAUSED
FINALIZING
FAILED
DONE
This operation also returns performance information for the search. For more information refer to "View search job properties with the Search Job Inspector" in the Knowledge Manager Manual.
For more information on searches in Splunk, refer to the Splunk Search Reference.
POST /search/jobs returns a <sid> for a search. You can also get a search ID from the <sid> field returned from GET search/jobs.
search/jobs/{search_id} method detail| Name | Type | Default | Description |
|---|---|---|---|
| custom.* required | String | Specify custom job properties for the specified search job. |
None
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/control
Authentication: Not required
Run a job control command for the {search_id} search.
| Method | Description | Formats |
|---|---|---|
| POST | Run a job control command for the {search_id} search. | XML, JSON |
search/jobs/{search_id}/control method detail| Name | Type | Default | Description |
|---|---|---|---|
| action required | Enum | Valid values: (pause | unpause | finalize | cancel | touch | setttl | setpriority | enablepreview | disablepreview)
The control action to execute. pause: Suspends the execution of the current search. unpause: Resumes the execution of the current search, if paused. finalize: Stops the search, and provides intermediate results to the /results endpoint. cancel: Stops the current search and deletes the result cache. touch: Extends the expiration time of the search to now + ttl setttl: Change the ttl of the search. Arguments: ttl=<number> setpriority: Sets the priority of the search process. Arguments: priority=<0-10> enablepreview: Enable preview generation (may slow search considerably). disablepreview: Disable preview generation. save: saves the search job, storing search artifacts on disk for 7 days. Add or edit the default_save_ttl value in limits.conf to override the default value of 7 days. unsave: Disables any action performed by save. |
None
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/events
Authentication: Not required
Get {search_id} search events.
| Method | Description | Formats |
|---|---|---|
| GET | Get {search_id} search events. | XML, JSON |
search/jobs/{search_id}/events method detail| Name | Type | Default | Description |
|---|---|---|---|
| count | Number | 100 | The maximum number of results to return. If value is set to 0, then all available results are returned. Default value is 100.
|
| earliest_time | String | A time string representing the earliest (inclusive), respectively, time bounds for the results to be returned. If not specified, the range applies to all results found. | |
| f | String | A field to return for the event set.
You can pass multiple | |
| field_list | String | * | [Deprecated] Use f.
A comma-separated list of the fields to return for the event set. |
| latest_time | String | A time string representing the latest (exclusive), respectively, time bounds for the results to be returned. If not specified, the range applies to all results found. | |
| max_lines | Number | 0 | The maximum lines that any single event _raw field should contain.
Specify |
| offset | Number | 0 | The first result (inclusive) from which to begin returning data.
This value is 0-indexed. Default value is 0. In 4.1+, negative offsets are allowed and are added to |
| output_mode | Enum | xml | Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)
Specifies the format for the returned output. |
| output_time_format | String | time_format | Formats a UTC time. Defaults to what is specified in time_format.
|
| search | String | The post processing search to apply to results. Can be any valid search language string. | |
| segmentation | String | raw | The type of segmentation to perform on the data. This incudes an option to perform k/v segmentation. |
| time_format | String | %m/%d/%Y:%H:%M:%S | Expression to convert a formatted time string from {start,end}_time into UTC seconds. |
| truncation_mode | Enum | abstract | Valid values: (abstract | truncate)
Specifies how "max_lines" should be achieved. |
None
These events are the data from the search pipeline before the first "transforming" search command. This is the primary method for a client to fetch a set of UNTRANSFORMED events for the search job.
This endpoint is only valid if the status_buckets > 0 or the search has no transforming commands.
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/results
Authentication: Not required
Get {search_id} search results.
| Method | Description | Formats |
|---|---|---|
| GET | Get {search_id} search results. | XML, JSON |
search/jobs/{search_id}/results method detail| Name | Type | Default | Description |
|---|---|---|---|
| count | Number | 100 | The maximum number of results to return. If value is set to 0, then all available results are returned.
|
| f | String | A field to return for the event set.
You can pass multiple | |
| field_list | String | [Deprecated] Use f.
Specify a comma-separated list of the fields to return for the event set. | |
| offset | Number | 0 | The first result (inclusive) from which to begin returning data.
This value is 0-indexed. Default value is 0. In 4.1+, negative offsets are allowed and are added to Offsets in the results are always absolute and never negative. |
| output_mode | Enum | xml | Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)
Specifies the format for the returned output. |
| search | String | The post processing search to apply to results. Can be any valid search language string. |
None
This is the table that exists after all processing from the search pipeline has completed.
This is the primary method for a client to fetch a set of TRANSFORMED events. If the dispatched search does not include a transforming command, the effect is the same as get_events, however with fewer options.
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/results_preview
Authentication: Not required
Preview {search_id} search results.
| Method | Description | Formats |
|---|---|---|
| GET | Preview {search_id} search results. | XML, JSON |
search/jobs/{search_id}/results_preview method detail| Name | Type | Default | Description |
|---|---|---|---|
| count | Number | 100 | The maximum number of results to return.
If value is set to |
| f | String | A field to return for the event set.
You can pass multiple | |
| field_list | String | [Deprecated] Use f.
A comma-separated list of the fields to return for the event set. | |
| offset | Number | 0 | The first result (inclusive) from which to begin returning data.
This value is 0-indexed. Default value is 0. |
| output_mode | Enum | xml | Valid values: (atom | csv | json | json_cols | json_rows | raw | xml)
Specifies the format for the returned output. |
| search | String | The post processing search to apply to results. Can be any valid search language string. |
None
Returns the intermediate preview results of the search specified by {search_id}. When the job is complete, this gives the same response as /search/jobs/{search_id}/results. Preview is enabled for real-time searches and for searches where status_buckets > 0.
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/search.log
Authentication: Not required
Get the {search_id} search log.
| Method | Description | Formats |
|---|---|---|
| GET | Get the {search_id} search log. | XML, JSON |
search/jobs/{search_id}/search.log method detail| Name | Type | Default | Description |
|---|---|---|---|
| attachment | Boolean | false | If true, returns search.log as an attachment. Otherwise, streams search.log. |
None
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/summary
Authentication: Not required
Get the getFieldsAndStats output of the events to-date, for the search_id search.
| Method | Description | Formats |
|---|---|---|
| GET | Get the getFieldsAndStats output of the events to-date, for the search_id search. | XML, JSON |
search/jobs/{search_id}/summary method detail| Name | Type | Default | Description |
|---|---|---|---|
| earliest_time | String | Time string representing the earliest (inclusive), respectively, time bounds for the search.
The time string can be either a UTC time (with fractional seconds), a relative time specifier (to now) or a formatted time string. (Also see comment for the search_mode variable.) | |
| f | String | A field to return for the event set.
You can pass multiple | |
| field_list | String | [Deprecated] Use f.
A comma-separated list of the fields to return for the event set. | |
| histogram | Boolean | false | Indicates whether to add histogram data to the summary output. |
| latest_time | String | Time string representing the latest (exclusive), respectively, time bounds for the search. | |
| min_freq | Number | 0 | For each key, the fraction of results this key must occur in to be displayed.
Express the fraction as a number between 0 and 1. |
| output_time_format | String | time_format | Formats a UTC time. |
| search | String | Empty string | Specifies a substring that all returned events should contain either in one of their values or tags. |
| time_format | String | %m/%d/%Y:%H:%M:%S | Expression to convert a formatted time string from {start,end}_time into UTC seconds. |
| top_count | Number | 10 | For each key, specifies how many of the most frequent items to return. |
None
This endpoint is only valid when status_buckets > 0. To guarantee a set of fields in the summary, when creating the search, use the required_fields_list or rf parameters.
[ Top ]
https://<host>:<mPort>/services/search/jobs/{search_id}/timeline
Authentication: Not required
Get event distribution over time of the untransformed events read to-date, for the search_id search.
| Method | Description | Formats |
|---|---|---|
| GET | Get event distribution over time of the untransformed events read to-date, for the search_id search. | XML, JSON |
search/jobs/{search_id}/timeline method detailThe output from this endpoint provides values for the following fields:
| Field | Description |
|---|---|
| c | Event count |
| a | Available. Not all events in a bucket are retrievable. Generally capped at 10000. |
| t | Time in epoch seconds |
| d | Bucket size (time) |
| f | Indicates if the search finished scanning events from the time range of this bucket. |
| etz | Timezone offset, in seconds, for the earliest time of this bucket.
etz and ltz are different if the buckets are months or days and you have a DST change during the middle. |
| ltz | Timezone offset, in seconds, for the latest time of this bucket. |
| Name | Type | Default | Description |
|---|---|---|---|
| output_time_format | String | time_format | Formats a UTC time. |
| time_format | String | %m/%d/%Y:%H:%M:%S | Expression to convert a formatted time string from {start,end}_time into UTC seconds. |
None
This endpoint is only valid when status_buckets > 0. To guarantee a set of fields in the summary, when creating the search, use the required_fields_list or rf parameters.
[ Top ]
https://<host>:<mPort>/services/search/parser
Authentication: Not required
Provide search language parsing services.
| Method | Description | Formats |
|---|---|---|
| GET | Parses Splunk search language and returns semantic map. | XML, JSON |
search/parser method detail| Name | Type | Default | Description |
|---|---|---|---|
| enable_lookups | Boolean | false | If true, reverse lookups are done to expand the search expression.
|
| output_mode | String | xml | Specify output formatting. Select from either:
|
| parse_only | Boolean | false | If true, disables expansion of search due evaluation of subsearches, time term expansion, lookups, tags, eventtypes, sourcetype alias. |
| q required | String | The search string to parse. | |
| reload_macros | Boolean | true | If true, reload macro definitions from macros.conf. |
None
[ Top ]
https://<host>:<mPort>/services/search/scheduler
Review search scheduler enablement setting.
Authentication: Required
| Method | Description | Formats |
|---|---|---|
| GET | Get current search scheduler enablement status. | XML, JSON |
Example
None
| Name | Type | Default | Description |
|---|---|---|---|
| saved_searches_disabled | Boolean | 0 or 1 | A boolean value indicating whether the search scheduler is disabled. |
[ Top ]
https://<host>:<mPort>/services/search/scheduler/status
Enable or disable the search scheduler.
Authentication: Required
| Method | Description | Formats |
|---|---|---|
| POST | Enable or disable the search scheduler. | Boolean |
| Name | Type | Default | Description |
|---|---|---|---|
| disabled | Boolean | Indicates whether to disable the search scheduler. 0 enables the search scheduler. 1 disables the search scheduler. |
None
[ Top ]
https://<host>:<mPort>/services/search/timeparser
Authentication: Not required
Time argument parse.
| Method | Description | Formats |
|---|---|---|
| GET | Get a lookup table of time arguments to absolute timestamps. | XML, JSON |
search/timeparser method detail| Name | Type | Default | Description |
|---|---|---|---|
| now | String | The time to use as current time for relative time identifiers.
Can itself either be a relative time (from the real "now" time) or an absolute time in the format specified by | |
| output_time_format | String | %FT%T.%Q%:z | Used to format a UTC time. Defaults to the value of time_format.
|
| time required | String | The time argument to parse.
Acceptable inputs are either a relative time identifier or an absolute time. Multiple time arguments can be passed by specifying multiple time parameters. | |
| time_format | String | %FT%T.%Q%:z | The format (strftime) of the absolute time format passed in time.
This field is not used if a relative time identifier is provided. For absolute times, the default value is the ISO-8601 format. |
None
[ Top ]
https://<host>:<mPort>/services/search/typeahead
Authentication: Not required
Get search string auto-complete suggestions.
| Method | Description | Formats |
|---|---|---|
| GET | Get a list of words or descriptions for possible auto-complete terms. | XML, JSON |
search/typeahead method detail| Name | Type | Default | Description |
|---|---|---|---|
| count required | Number | The number of items to return for this term. | |
| output_mode | String | csv | Specify output formatting. Select from:
|
| prefix required | String | The term for which to return typeahead results. |
None
[ Top ]
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/-/alerts/fired_alerts
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>alerts</title>
<id>https://localhost:8089/services/alerts/fired_alerts</id>
<updated>2011-07-11T19:27:22-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>-</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/-</id>
<updated>2011-07-11T19:27:22-07:00</updated>
<link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/alerts/fired_alerts/-" rel="list"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="triggered_alert_count">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/scheduler__admin__search_aGF2ZV9ldmVudHM_at_1310437740_5d3dfde563194ffd_1310437749
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>alerts</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
<updated>2011-07-11T19:35:25-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts/MyAlert
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>alerts</title>
<id>https://localhost:8089/servicesNS/admin/search/alerts/fired_alerts</id>
<updated>2012-10-25T09:20:04-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</title>
<id>https://localhost:8089/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987</id>
<updated>2012-10-25T09:19:47-07:00</updated>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2012-10-25T09:19:47-07:00</published>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="list"/>
<link href="/servicesNS/nobody/search/alerts/fired_alerts/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31_1351181987" rel="remove"/>
<link href="/servicesNS/nobody/search/search/jobs/rt_scheduler__admin__search__MyAlert_at_1351181001_5.31" rel="job"/>
<link href="/servicesNS/nobody/search/saved/searches/MyAlert" rel="savedsearch"/>
<content type="text/xml">
<s:dict>
<s:key name="actions"/>
<s:key name="alert_type">real time</s:key>
<s:key name="digest_mode">0</s:key>
<!-- eai:acl elided -->
<s:key name="expiration_time_rendered">2012-10-26 09:19:47 PDT</s:key>
<s:key name="savedsearch_name">MyAlert</s:key>
<s:key name="severity">3</s:key>
<s:key name="sid">rt_scheduler__admin__search__MyAlert_at_1351181001_5.31</s:key>
<s:key name="trigger_time">1351181987</s:key>
<s:key name="trigger_time_rendered">2012-10-25 09:19:47 PDT</s:key>
<s:key name="triggered_alerts">5</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>commandsconf</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
<s:messages/>
<entry>
<title>bucketdir</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands/bucketdir</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/bucketdir" rel="list"/>
<link href="/servicesNS/nobody/search/data/commands/bucketdir/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/commands/bucketdir/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="changes_colorder">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableheader">1</s:key>
<s:key name="filename">bucketdir.py</s:key>
<s:key name="generates_timeorder">0</s:key>
<s:key name="generating">0</s:key>
<s:key name="maxinputs">50000</s:key>
<s:key name="outputheader">0</s:key>
<s:key name="passauth">0</s:key>
<s:key name="required_fields">*</s:key>
<s:key name="requires_preop">0</s:key>
<s:key name="retainsevents">0</s:key>
<s:key name="streaming">0</s:key>
<s:key name="supports_getinfo">0</s:key>
<s:key name="supports_rawargs">1</s:key>
<s:key name="type">python</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/nobody/search/data/commands/input
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>commandsconf</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/_reload" rel="_reload"/>
<s:messages/>
<entry>
<title>input</title>
<id>https://localhost:8089/servicesNS/nobody/search/data/commands/input</id>
<updated>2011-07-07T00:52:26-07:00</updated>
<link href="/servicesNS/nobody/search/data/commands/input" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/data/commands/input" rel="list"/>
<link href="/servicesNS/nobody/search/data/commands/input/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/data/commands/input/disable" rel="disable"/>
<content type="text/xml">
<s:dict>
<s:key name="changes_colorder">1</s:key>
<s:key name="disabled">0</s:key>
<s:key name="eai:appName">search</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="eai:userName">admin</s:key>
<s:key name="enableheader">1</s:key>
<s:key name="filename">input.py</s:key>
<s:key name="generates_timeorder">0</s:key>
<s:key name="generating">0</s:key>
<s:key name="maxinputs">50000</s:key>
<s:key name="outputheader">0</s:key>
<s:key name="passauth">1</s:key>
<s:key name="required_fields">*</s:key>
<s:key name="requires_preop">0</s:key>
<s:key name="retainsevents">0</s:key>
<s:key name="streaming">0</s:key>
<s:key name="supports_getinfo">0</s:key>
<s:key name="supports_rawargs">1</s:key>
<s:key name="type">python</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/saved/searches
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2011-07-13T11:56:35-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>Errors in the last 24 hours</title>
<id>https://localhost:8089/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours</id>
<updated>2011-07-13T11:56:35-07:00</updated>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="alternate"/>
<author>
<name>nobody</name>
</author>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="list"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours" rel="edit"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/disable" rel="disable"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/dispatch" rel="dispatch"/>
<link href="/servicesNS/nobody/search/saved/searches/Errors%20in%20the%20last%2024%20hours/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.sendresults"/>
<s:key name="action.email.to"/>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"/>
<s:key name="alert.suppress.period"/>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"/>
<s:key name="alert_condition"/>
<s:key name="alert_threshold"/>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"/>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time">-1d</s:key>
<s:key name="dispatch.latest_time"/>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"/>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"/>
<s:key name="qualifiedSearch">search error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"/>
<s:key name="request.ui_dispatch_view"/>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )</s:key>
<s:key name="vsid">*:75qh2fwx</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches -d name=MySavedSearch --data-urlencode search="index=_internal source=*metrics.log"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-12-09T09:10:21-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-12-09T09:10:21-08:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
<s:key name="action.email.auth_username">myusername</s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$
| sendemail "server=$action.email.mailserver{default=localhost}$"
"use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$"
"cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview"></s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">1</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to"></s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"</s:key>
<s:key name="action.populate_lookup.dest"></s:key>
<s:key name="action.populate_lookup.hostname"></s:key>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger:
$name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
</s:key>
<s:key name="action.rss.hostname"></s:key>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$"
"Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$"
maxtime="$action.script.maxtime{default=5m}$"
</s:key>
<s:key name="action.script.filename"></s:key>
<s:key name="action.script.hostname"></s:key>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
</s:key>
<s:key name="action.summary_index.hostname"></s:key>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.fields"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"></s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"></s:key>
<s:key name="dispatch.latest_time"></s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.rt_backfill">0</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"></s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"></s:key>
<s:key name="qualifiedSearch">search index=_internal source=*metrics.log</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">index=_internal source=*metrics.log</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-13T12:09:05-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-13T11:57:54-07:00</updated>
<generator version="102824"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<!-- opensearch nodes elided for brevity. -->
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-13T11:57:54-07:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">0</s:key>
<s:key name="action.email.auth_password"/>
<s:key name="action.email.auth_username"/>
<s:key name="action.email.bcc"/>
<s:key name="action.email.cc"/>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$
| sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$"
"format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)"
"sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"/>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.preprocess_results"/>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"/>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to"/>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">
copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"
</s:key>
<s:key name="action.populate_lookup.hostname"/>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">
createrss "path=$name$.xml" "name=$name$" "link=$results.url$"
"descr=Alert trigger: $name$, results.count=$results.count$ " "count=30"
"graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"
</s:key>
<s:key name="action.rss.hostname"/>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$"
"$results.count$" "$search$" "$search$" "$name$"
"Saved Search [$name$] $counttype$($results.count$)" "$results.url$"
"$deprecated_arg$" "$search_id$"
maxtime="$action.script.maxtime{default=5m}$"
</s:key>
<s:key name="action.script.hostname"/>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command">
<![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$"
file="$name$_$#random$.stash_new" name="$name$"
marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\",
key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]>
</s:key>
<s:key name="action.summary_index.hostname"/>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"/>
<s:key name="alert.suppress.period"/>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"/>
<s:key name="alert_condition"/>
<s:key name="alert_threshold"/>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"/>
<s:key name="description"/>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"/>
<s:key name="dispatch.latest_time"/>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"/>
<!-- eai:acl elided -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>action.email</s:item>
<s:item>action.email.auth_password</s:item>
<s:item>action.email.auth_username</s:item>
<s:item>action.email.bcc</s:item>
<s:item>action.email.cc</s:item>
<s:item>action.email.command</s:item>
<s:item>action.email.format</s:item>
<s:item>action.email.from</s:item>
<s:item>action.email.hostname</s:item>
<s:item>action.email.inline</s:item>
<s:item>action.email.mailserver</s:item>
<s:item>action.email.maxresults</s:item>
<s:item>action.email.maxtime</s:item>
<s:item>action.email.preprocess_results</s:item>
<s:item>action.email.reportPaperOrientation</s:item>
<s:item>action.email.reportPaperSize</s:item>
<s:item>action.email.reportServerEnabled</s:item>
<s:item>action.email.reportServerURL</s:item>
<s:item>action.email.sendpdf</s:item>
<s:item>action.email.sendresults</s:item>
<s:item>action.email.subject</s:item>
<s:item>action.email.to</s:item>
<s:item>action.email.track_alert</s:item>
<s:item>action.email.ttl</s:item>
<s:item>action.email.use_ssl</s:item>
<s:item>action.email.use_tls</s:item>
<s:item>action.populate_lookup</s:item>
<s:item>action.populate_lookup.command</s:item>
<s:item>action.populate_lookup.hostname</s:item>
<s:item>action.populate_lookup.maxresults</s:item>
<s:item>action.populate_lookup.maxtime</s:item>
<s:item>action.populate_lookup.track_alert</s:item>
<s:item>action.populate_lookup.ttl</s:item>
<s:item>action.rss</s:item>
<s:item>action.rss.command</s:item>
<s:item>action.rss.hostname</s:item>
<s:item>action.rss.maxresults</s:item>
<s:item>action.rss.maxtime</s:item>
<s:item>action.rss.track_alert</s:item>
<s:item>action.rss.ttl</s:item>
<s:item>action.script</s:item>
<s:item>action.script.command</s:item>
<s:item>action.script.hostname</s:item>
<s:item>action.script.maxresults</s:item>
<s:item>action.script.maxtime</s:item>
<s:item>action.script.track_alert</s:item>
<s:item>action.script.ttl</s:item>
<s:item>action.summary_index</s:item>
<s:item>action.summary_index._name</s:item>
<s:item>action.summary_index.command</s:item>
<s:item>action.summary_index.hostname</s:item>
<s:item>action.summary_index.inline</s:item>
<s:item>action.summary_index.maxresults</s:item>
<s:item>action.summary_index.maxtime</s:item>
<s:item>action.summary_index.track_alert</s:item>
<s:item>action.summary_index.ttl</s:item>
<s:item>actions</s:item>
<s:item>alert.digest_mode</s:item>
<s:item>alert.expires</s:item>
<s:item>alert.severity</s:item>
<s:item>alert.suppress</s:item>
<s:item>alert.suppress.period</s:item>
<s:item>alert.track</s:item>
<s:item>alert_comparator</s:item>
<s:item>alert_condition</s:item>
<s:item>alert_threshold</s:item>
<s:item>alert_type</s:item>
<s:item>cron_schedule</s:item>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>dispatch.buckets</s:item>
<s:item>dispatch.earliest_time</s:item>
<s:item>dispatch.latest_time</s:item>
<s:item>dispatch.lookups</s:item>
<s:item>dispatch.max_count</s:item>
<s:item>dispatch.max_time</s:item>
<s:item>dispatch.reduce_freq</s:item>
<s:item>dispatch.spawn_process</s:item>
<s:item>dispatch.time_format</s:item>
<s:item>dispatch.ttl</s:item>
<s:item>displayview</s:item>
<s:item>is_scheduled</s:item>
<s:item>is_visible</s:item>
<s:item>max_concurrent</s:item>
<s:item>next_scheduled_time</s:item>
<s:item>qualifiedSearch</s:item>
<s:item>realtime_schedule</s:item>
<s:item>request.ui_dispatch_app</s:item>
<s:item>request.ui_dispatch_view</s:item>
<s:item>restart_on_searchpeer_add</s:item>
<s:item>run_on_startup</s:item>
<s:item>vsid</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>search</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list>
<s:item>action\..*</s:item>
<s:item>args\..*</s:item>
<s:item>dispatch\..*</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"/>
<s:key name="qualifiedSearch">search index</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"/>
<s:key name="request.ui_dispatch_view"/>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">index</s:key>
<s:key name="vsid"/>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch -d actions=email -d action.email.to="nobody@example.com, info@example.com" -d search="my search here"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:20:14-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-26T18:20:14-04:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/move" rel="move"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/disable" rel="disable"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/history" rel="history"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$"
"graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$"
maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">0</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">nobody@example.com,info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">86400</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.populate_lookup">0</s:key>
<s:key name="action.populate_lookup.command">copyresults dest="$action.populate_lookup.dest$" sid="$search_id$"</s:key>
<s:key name="action.populate_lookup.hostname"></s:key>
<s:key name="action.populate_lookup.maxresults">10000</s:key>
<s:key name="action.populate_lookup.maxtime">5m</s:key>
<s:key name="action.populate_lookup.track_alert">0</s:key>
<s:key name="action.populate_lookup.ttl">120</s:key>
<s:key name="action.rss">0</s:key>
<s:key name="action.rss.command">createrss "path=$name$.xml" "name=$name$" "link=$results.url$" "descr=Alert trigger: $name$, results.count=$results.count$ " "count=30" "graceful=$graceful{default=1}$" maxtime="$action.rss.maxtime{default=1m}$"</s:key>
<s:key name="action.rss.hostname"></s:key>
<s:key name="action.rss.maxresults">10000</s:key>
<s:key name="action.rss.maxtime">1m</s:key>
<s:key name="action.rss.track_alert">0</s:key>
<s:key name="action.rss.ttl">86400</s:key>
<s:key name="action.script">0</s:key>
<s:key name="action.script.command">runshellscript "$action.script.filename$" "$results.count$" "$search$" "$search$" "$name$" "Saved Search [$name$] $counttype$($results.count$)" "$results.url$" "$deprecated_arg$" "$search_id$" "$results.file$" maxtime="$action.script.maxtime{default=5m}$"</s:key>
<s:key name="action.script.hostname"></s:key>
<s:key name="action.script.maxresults">10000</s:key>
<s:key name="action.script.maxtime">5m</s:key>
<s:key name="action.script.track_alert">1</s:key>
<s:key name="action.script.ttl">600</s:key>
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
<s:key name="action.summary_index.command"><![CDATA[summaryindex spool=t uselb=t addtime=t index="$action.summary_index._name{required=yes}$" file="$name$_$#random$.stash_new" name="$name$" marker="$action.summary_index*{format=$KEY=\\\"$VAL\\\", key_regex="action.summary_index.(?!(?:command|inline|maxresults|maxtime|ttl|track_alert|(?:_.*))$)(.*)"}$"]]></s:key>
<s:key name="action.summary_index.hostname"></s:key>
<s:key name="action.summary_index.inline">1</s:key>
<s:key name="action.summary_index.maxresults">10000</s:key>
<s:key name="action.summary_index.maxtime">5m</s:key>
<s:key name="action.summary_index.track_alert">0</s:key>
<s:key name="action.summary_index.ttl">120</s:key>
<s:key name="actions">email</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule"></s:key>
<s:key name="description"></s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time"></s:key>
<s:key name="dispatch.latest_time"></s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
<s:key name="dispatch.reduce_freq">10</s:key>
<s:key name="dispatch.rt_backfill">0</s:key>
<s:key name="dispatch.spawn_process">1</s:key>
<s:key name="dispatch.time_format">%FT%T.%Q%:z</s:key>
<s:key name="dispatch.ttl">2p</s:key>
<s:key name="displayview"></s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">0</s:key>
<s:key name="is_visible">1</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time"></s:key>
<s:key name="qualifiedSearch">search my seach here</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="search">my search here</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MyAlert/acknowledge -X POST
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:31:07-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch -d trigger_actions=1
<?xml version='1.0' encoding='UTF-8'?>
<response><sid>admin__admin__search__MySavedSearch_at_1311797437_d831d980832e3e89</sid></response>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/history
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:13:20-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>2</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2</id>
<updated>2011-07-26T18:13:18-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-26T18:13:01-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311718380_4270ba99c46128d2" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="isDone">1</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isScheduled">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="ttl">86382</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b</id>
<updated>2011-07-26T17:51:23-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-26T17:51:01-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_MySavedSearch_at_1311717060_7d9aa142eba2437b" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="isDone">1</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isScheduled">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="ttl">85062</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/saved/searches/Purchased%20products%2C%20last%2024%20hours/reschedule -d schedule_time=2012-08-15T14:11:01Z
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2012-07-27T11:21:43-07:00</updated>
<generator build="131547" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/services/saved/searches/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/services/saved/searches</id>
<updated>2011-12-02T11:12:55-08:00</updated>
<generator version="108769"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/saved/searches/_new" rel="create"/>
<link href="/services/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__dashboard_live</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live</id>
<updated>2011-12-02T11:12:55-08:00</updated>
<link href="/servicesNS/admin/search/saved/searches/_ScheduledView__dashboard_live" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password">$1$o2rN8S6m+0YB</s:key>
<s:key name="action.email.auth_username">myusername</s:key>
. . . elided . . .
<s:key name="action.email.pdfview">dashboard_live</s:key>
. . . elided . . .
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">myusername@example.com</s:key>
. . . elided . . .
<s:key name="action.summary_index">0</s:key>
<s:key name="action.summary_index._name">summary</s:key>
. . . elided . . .
<s:key name="actions">email</s:key>
<s:key name="alert.digest_mode">1</s:key>
<s:key name="alert.expires">24h</s:key>
<s:key name="alert.severity">3</s:key>
<s:key name="alert.suppress"></s:key>
<s:key name="alert.suppress.fields"></s:key>
<s:key name="alert.suppress.period"></s:key>
<s:key name="alert.track">auto</s:key>
<s:key name="alert_comparator"></s:key>
<s:key name="alert_condition"></s:key>
<s:key name="alert_threshold"></s:key>
<s:key name="alert_type">always</s:key>
<s:key name="cron_schedule">*/30 * * * *</s:key>
<s:key name="description">scheduled search for view name=dashboard_live</s:key>
<s:key name="disabled">0</s:key>
<s:key name="dispatch.buckets">0</s:key>
<s:key name="dispatch.earliest_time">1</s:key>
<s:key name="dispatch.latest_time">2</s:key>
<s:key name="dispatch.lookups">1</s:key>
<s:key name="dispatch.max_count">500000</s:key>
<s:key name="dispatch.max_time">0</s:key>
. . . elided . . .
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="is_visible">0</s:key>
<s:key name="max_concurrent">1</s:key>
<s:key name="next_scheduled_time">2011-12-02 11:30:00 PST</s:key>
<s:key name="qualifiedSearch"> noop</s:key>
<s:key name="realtime_schedule">1</s:key>
<s:key name="request.ui_dispatch_app"></s:key>
<s:key name="request.ui_dispatch_view"></s:key>
<s:key name="restart_on_searchpeer_add">1</s:key>
<s:key name="run_on_startup">0</s:key>
<s:key name="scheduled_times"><s:list><s:item>1322836200</s:item><s:item>1322838000</s:item><s:item>1322839800</s:item><s:item>1322841600</s:item></s:list></s:key>
<s:key name="search">| noop</s:key>
<s:key name="vsid"></s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/suppress
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>savedsearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches</id>
<updated>2011-07-26T18:22:51-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/_new" rel="create"/>
<link href="/servicesNS/admin/search/saved/searches/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>MySavedSearch</title>
<id>https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch</id>
<updated>2011-07-26T18:22:51-04:00</updated>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="list"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="edit"/>
<link href="/servicesNS/admin/search/saved/searches/MySavedSearch" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
<s:key name="expiration">13811</s:key>
<s:key name="suppressed">1</s:key>
<s:key name="suppressionKey">admin;search;MySavedSearch;;</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/scheduled/views
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
<updated>2011-07-27T16:27:55-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView</id>
<updated>2011-07-27T16:27:55-04:00</updated>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/admin/scheduledviews/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults"></s:key>
<s:key name="action.email.to">email@example.com</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="cron_schedule">* * * * *</s:key>
<s:key name="description">scheduled search for view name=MyView</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 16:28:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass --request DELETE https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/admin/scheduledviews</id>
<updated>2011-07-27T16:16:02-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/admin/scheduledviews/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T17:12:11-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
<updated>2011-07-27T17:12:11-04:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="cron_schedule">* * * * *</s:key>
<s:key name="description">scheduled search for view name=MyView</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list>
<s:item>description</s:item>
<s:item>disabled</s:item>
<s:item>next_scheduled_time</s:item>
</s:list>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>action.email.to</s:item>
<s:item>cron_schedule</s:item>
<s:item>is_scheduled</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list><s:item>action\.email.*</s:item></s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 17:13:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew -d action.email.to="info@example.com" -d cron_schedule="0 * * * *" -d is_scheduled=1 -d description="New description"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T17:59:32-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView</id>
<updated>2011-07-27T17:59:32-04:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="alternate"/>
<author>
<name>admin</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="list"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/_reload" rel="_reload"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="edit"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView" rel="remove"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/move" rel="move"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/disable" rel="disable"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/dispatch" rel="dispatch"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/history" rel="history"/>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__MyView/notify" rel="notify"/>
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command">
<![CDATA[$action.email.preprocess_results{default=""}$ |
sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$"
"use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$"
"bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$"
"subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$"
"sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$"
"ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$"
"sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$"
"pdfview=$action.email.pdfview$" "searchid=$search_id$" "graceful=$graceful{default=True}$"
maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]>
</s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">MyView</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">0</s:key>
<s:key name="action.email.reportServerURL"></s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">info@example.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="cron_schedule">0 * * * *</s:key>
<s:key name="description">New Description</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-07-27 18:00:00 EDT</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyView/dispatch -d trigger_actions=1
<?xml version='1.0' encoding='UTF-8'?>
<response><sid>admin__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311805021_c24ff1ea77ad714b</sid></response>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/scheduled/views/MyVew/history
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>_ScheduledView__MyView</title>
<id>https://localhost:8089/servicesNS/admin/search/scheduled/views</id>
<updated>2011-07-27T16:25:22-04:00</updated>
<generator version="104601"/>
<author>
<name>Splunk</name>
</author>
<link href="/servicesNS/admin/search/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</title>
<id>https://localhost:8089/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a</id>
<updated>2011-07-27T16:25:15-04:00</updated>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="alternate"/>
<author>
<name>admin</name>
</author>
<published>2011-07-27T16:25:15-04:00</published>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="list"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a/_reload" rel="_reload"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="edit"/>
<link href="/servicesNS/nobody/search/search/jobs/scheduler__admin__search_X1NjaGVkdWxlZFZpZXdfX015Vmlldw_at_1311798300_842d7ca298ab521a" rel="remove"/>
<content type="text/xml">
<s:dict>
<!-- eai:acl elided -->
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard2/reschedule -d schedule_time=2013-02-15T14:11:01Z
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://localhost:8089/services/scheduled/views</id>
<updated>2012-10-02T08:48:18-07:00</updated>
<generator build="138753" version="5.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:admin https://localhost:8089/services/scheduled/views/_ScheduledView__dashboard_live/scheduled_times --get -d earliest_time=-5h -d latest_time=-3h
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduledviews</title>
<id>https://wma-mbp15:8089/services/scheduled/views</id>
<updated>2011-12-01T14:40:18-08:00</updated>
<generator version="112383"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/scheduled/views/_reload" rel="_reload"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>_ScheduledView__dashboard_live</title>
<id>https://wma-mbp15:8089/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live</id>
<updated>2011-12-01T14:40:18-08:00</updated>
<link href="/servicesNS/admin/search/scheduled/views/_ScheduledView__dashboard_live" rel="alternate"/>
<author>
<name>admin</name>
</author>
<!-- opensearch nodes elided for brevity. -->
<content type="text/xml">
<s:dict>
<s:key name="action.email">1</s:key>
<s:key name="action.email.auth_password"></s:key>
<s:key name="action.email.auth_username"></s:key>
<s:key name="action.email.bcc"></s:key>
<s:key name="action.email.cc"></s:key>
<s:key name="action.email.command"><![CDATA[$action.email.preprocess_results{default=""}$ | sendemail "server=$action.email.mailserver{default=localhost}$" "use_ssl=$action.email.use_ssl{default=false}$" "use_tls=$action.email.use_tls{default=false}$" "to=$action.email.to$" "cc=$action.email.cc$" "bcc=$action.email.bcc$" "from=$action.email.from{default=splunk@localhost}$" "subject=$action.email.subject{recurse=yes}$" "format=$action.email.format{default=csv}$" "sssummary=Saved Search [$name$]: $counttype$($results.count$)" "sslink=$results.url$" "ssquery=$search$" "ssname=$name$" "inline=$action.email.inline{default=False}$" "sendresults=$action.email.sendresults{default=False}$" "sendpdf=$action.email.sendpdf{default=False}$" "pdfview=$action.email.pdfview$" "searchid=$search_id$" "width_sort_columns=$action.email.width_sort_columns$" "graceful=$graceful{default=True}$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$"]]></s:key>
<s:key name="action.email.format">html</s:key>
<s:key name="action.email.from">splunk</s:key>
<s:key name="action.email.hostname"></s:key>
<s:key name="action.email.inline">0</s:key>
<s:key name="action.email.mailserver">localhost</s:key>
<s:key name="action.email.maxresults">10000</s:key>
<s:key name="action.email.maxtime">5m</s:key>
<s:key name="action.email.pdfview">dashboard_live</s:key>
<s:key name="action.email.preprocess_results"></s:key>
<s:key name="action.email.reportPaperOrientation">portrait</s:key>
<s:key name="action.email.reportPaperSize">letter</s:key>
<s:key name="action.email.reportServerEnabled">1</s:key>
<s:key name="action.email.reportServerURL"> </s:key>
<s:key name="action.email.sendpdf">1</s:key>
<s:key name="action.email.sendresults">0</s:key>
<s:key name="action.email.subject">Splunk Alert: $name$</s:key>
<s:key name="action.email.to">wma@splunk.com</s:key>
<s:key name="action.email.track_alert">1</s:key>
<s:key name="action.email.ttl">10</s:key>
<s:key name="action.email.use_ssl">0</s:key>
<s:key name="action.email.use_tls">0</s:key>
<s:key name="action.email.width_sort_columns">1</s:key>
<s:key name="cron_schedule">/5 * * * *</s:key>
<s:key name="description">scheduled search for view name=dashboard_live</s:key>
<s:key name="disabled">0</s:key>
<!-- eai:acl elided -->
<s:key name="is_scheduled">1</s:key>
<s:key name="next_scheduled_time">2011-12-01 15:00:00 PST</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:pass https://localhost:8089/services/search/jobs --get -d search="eventCount>100"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>jobs</title>
<id>https://localhost:8089/services/search/jobs</id>
<updated>2011-06-21T10:12:22-07:00</updated>
<generator version="100492"/>
<author>
<name>Splunk</name>
</author>
<opensearch:totalResults>8</opensearch:totalResults>
<opensearch:itemsPerPage>0</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<entry>
<title>search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput
| chart sum(kb) by series | sort -sum(kb) | head 5</title>
<id>https://localhost:8089/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</id>
<updated>2011-06-21T10:10:31.000-07:00</updated>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4" rel="alternate"/>
<published>2011-06-21T10:10:23.000-07:00</published>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/search.log" rel="log"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/events" rel="events"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results" rel="results"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/timeline" rel="timeline"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/summary" rel="summary"/>
<link href="/services/search/jobs/scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4/control" rel="control"/>
<author>
<name>splunk-system-user</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="delegate">scheduler</s:key>
<s:key name="diskUsage">73728</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">2011-06-20T10:10:00.000-07:00</s:key>
<s:key name="eventAvailableCount">0</s:key>
<s:key name="eventCount">1363</s:key>
<s:key name="eventFieldCount">0</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">1</s:key>
<s:key name="eventSearch">search index=_internal (source=*/metrics.log* OR source=*\\metrics.log*) group=per_sourcetype_thruput </s:key>
<s:key name="eventSorting">none</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">1</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords">group::per_sourcetype_thruput index::_internal source::*/metrics.log* source::*\metrics.log*</s:key>
<s:key name="label">Top five sourcetypes</s:key>
<s:key name="latestTime">2011-06-21T10:10:00.000-07:00</s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="priority">5</s:key>
<s:key name="remoteSearch">litsearch index=_internal ( source=*/metrics.log* OR source=*\\metrics.log* )
group=per_sourcetype_thruput | addinfo type=count label=prereport_events
| fields keepcolorder=t "kb" "prestats_reserved_*" "psrsvd_*" "series"
| convert num("kb") | prestats sum(kb) AS "sum(kb)" by series</s:key>
<s:key name="reportSearch">chart sum(kb) by series | sort -sum(kb) | head 5</s:key>
<s:key name="resultCount">4</s:key>
<s:key name="resultIsStreaming">0</s:key>
<s:key name="resultPreviewCount">4</s:key>
<s:key name="runDuration">0.259000</s:key>
<s:key name="scanCount">1363</s:key>
<s:key name="searchEarliestTime">1308589800.000000000</s:key>
<s:key name="searchLatestTime">1308676200.000000000</s:key>
<s:key name="sid">scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1308676200_22702c154383bbe4</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">489</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.addinfo">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.chart">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">100000</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.convert">
<s:dict>
<s:key name="duration_secs">0.006</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.fields">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.head">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.presort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="command.prestats">
<s:dict>
<s:key name="duration_secs">0.014</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">12</s:key>
</s:dict>
</s:key>
<s:key name="command.search">
<s:dict>
<s:key name="duration_secs">0.058</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.fieldalias">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">3</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.filter">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.index">
<s:dict>
<s:key name="duration_secs">0.010</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
<s:key name="command.search.kv">
<s:dict>
<s:key name="duration_secs">0.011</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.lookups">
<s:dict>
<s:key name="duration_secs">0.003</s:key>
<s:key name="invocations">3</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.rawdata">
<s:dict>
<s:key name="duration_secs">0.034</s:key>
<s:key name="invocations">3</s:key>
</s:dict>
</s:key>
<s:key name="command.search.tags">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.search.typer">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">5</s:key>
<s:key name="input_count">1363</s:key>
<s:key name="output_count">1363</s:key>
</s:dict>
</s:key>
<s:key name="command.sort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
<s:key name="input_count">4</s:key>
<s:key name="output_count">4</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createProviderQueue">
<s:dict>
<s:key name="duration_secs">0.067</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate">
<s:dict>
<s:key name="duration_secs">0.038</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.chart">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.head">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.search">
<s:dict>
<s:key name="duration_secs">0.037</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.sort">
<s:dict>
<s:key name="duration_secs">0.001</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.fetch">
<s:dict>
<s:key name="duration_secs">0.126</s:key>
<s:key name="invocations">6</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.stream.local">
<s:dict>
<s:key name="duration_secs">0.070</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="ui_dispatch_app"></s:key>
<s:key name="ui_dispatch_view"></s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">nobody</s:key>
<s:key name="modifiable">true</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">search</s:key>
<s:key name="can_write">true</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list>
<s:item>mbp15.splunk.com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
. . . elided . . .
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs --data-urlencode search="search index=_internal source=*/metrics.log" -d id=mysearch_02151949 -d max_count=50000 -d status_buckets=300
curl -u admin:changeme -k https://localhost:8089/services/search/jobs
-d search="search *"
-d custom.foobar="myCustomPropA"
-d custom.foobaz="myCustomPropB"
Use the search/jobs GET request to view the custom properties.
curl -k -u admin:changed https://localhost:8089/services/search/jobs
-d search="search index=_* *"
-d search_mode="realtime"
-d indexedRealtime="1"
-d indexedRealtimeOffset="300"
<response><sid>mysearch_02151949</sid></response>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index%3D_internal | head 1"
<results preview='0'>
<meta>
<fieldOrder>
<field>_cd</field>
<field>_indextime</field>
<field>_raw</field>
<field>_serial</field>
<field>_si</field>
<field>_sourcetype</field>
<field>_subsecond</field>
<field>_time</field>
<field>host</field>
<field>index</field>
<field>linecount</field>
<field>source</field>
<field>sourcetype</field>
<field>splunk_server</field>
</fieldOrder>
</meta>
<messages>
<msg type="DEBUG">base lispy: [ AND index::_internal ]</msg>
<msg type="DEBUG">search context: user="admin", app="search", bs-pathname="/Applications/splunk/etc"</msg>
<msg type="INFO">Your timerange was substituted based on your search string</msg>
</messages>
<result offset='0'>
<field k='_cd'>
<value><text>50:59480</text></value>
</field>
<field k='_indextime'>
<value><text>1333739623</text></value>
</field>
<field k='_raw'><v xml:space='preserve' trunc='0'>127.0.0.1 - admin [06/Apr/2012:12:13:42.943 -0700] "POST /servicesNS/admin/search/search/jobs/export HTTP/1.1" 200 2063 - - - 317ms</v></field>
<field k='_serial'>
<value><text>0</text></value>
</field>
<field k='_si'>
<value><text>mbp15.splunk.com</text></value>
<value><text>_internal</text></value>
</field>
<field k='_sourcetype'>
<value><text>splunkd_access</text></value>
</field>
<field k='_subsecond'>
<value><text>.943</text></value>
</field>
<field k='_time'>
<value><text>2012-04-06 12:13:42.943 PDT</text></value>
</field>
<field k='host'>
<value><text>mbp15.splunk.com</text></value>
</field>
<field k='index'>
<value h='1'><text>_internal</text></value>
</field>
<field k='linecount'>
<value><text>1</text></value>
</field>
<field k='source'>
<value><text>/Applications/splunk/var/log/splunk/splunkd_access.log</text></value>
</field>
<field k='sourcetype'>
<value><text>splunkd_access</text></value>
</field>
<field k='splunk_server'>
<value><text>mbp15.splunk.com</text></value>
</field>
</result>
</results>
curl -k -u admin:pass --request DELETE https://localhost:8089/services/search/jobs/mysearch_02151949
<response><messages><msg type='INFO'>Search job cancelled.</msg></messages></response
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949
<entry
xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>search index</title>
<id>https://localhost:8089/services/search/jobs/mysearch_02151949</id>
<updated>2011-07-07T20:49:58.000-07:00</updated>
<link href="/services/search/jobs/mysearch_02151949" rel="alternate"/>
<published>2011-07-07T20:49:57.000-07:00</published>
<link href="/services/search/jobs/mysearch_02151949/search.log" rel="search.log"/>
<link href="/services/search/jobs/mysearch_02151949/events" rel="events"/>
<link href="/services/search/jobs/mysearch_02151949/results" rel="results"/>
<link href="/services/search/jobs/mysearch_02151949/results_preview" rel="results_preview"/>
<link href="/services/search/jobs/mysearch_02151949/timeline" rel="timeline"/>
<link href="/services/search/jobs/mysearch_02151949/summary" rel="summary"/>
<link href="/services/search/jobs/mysearch_02151949/control" rel="control"/>
<author>
<name>admin</name>
</author>
<content type="text/xml">
<s:dict>
<s:key name="cursorTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="delegate"></s:key>
<s:key name="diskUsage">2174976</s:key>
<s:key name="dispatchState">DONE</s:key>
<s:key name="doneProgress">1.00000</s:key>
<s:key name="dropCount">0</s:key>
<s:key name="earliestTime">2011-07-07T11:18:08.000-07:00</s:key>
<s:key name="eventAvailableCount">287</s:key>
<s:key name="eventCount">287</s:key>
<s:key name="eventFieldCount">6</s:key>
<s:key name="eventIsStreaming">1</s:key>
<s:key name="eventIsTruncated">0</s:key>
<s:key name="eventSearch">search index</s:key>
<s:key name="eventSorting">desc</s:key>
<s:key name="isDone">1</s:key>
<s:key name="isFailed">0</s:key>
<s:key name="isFinalized">0</s:key>
<s:key name="isPaused">0</s:key>
<s:key name="isPreviewEnabled">0</s:key>
<s:key name="isRealTimeSearch">0</s:key>
<s:key name="isRemoteTimeline">0</s:key>
<s:key name="isSaved">0</s:key>
<s:key name="isSavedSearch">0</s:key>
<s:key name="isZombie">0</s:key>
<s:key name="keywords">index</s:key>
<s:key name="label"></s:key>
<s:key name="latestTime">1969-12-31T16:00:00.000-08:00</s:key>
<s:key name="numPreviews">0</s:key>
<s:key name="priority">5</s:key>
<s:key name="remoteSearch">litsearch index | fields keepcolorder=t "host" "index" "linecount" "source" "sourcetype" "splunk_server"</s:key>
<s:key name="reportSearch"></s:key>
<s:key name="resultCount">287</s:key>
<s:key name="resultIsStreaming">1</s:key>
<s:key name="resultPreviewCount">287</s:key>
<s:key name="runDuration">1.004000</s:key>
<s:key name="scanCount">287</s:key>
<s:key name="sid">mysearch_02151949</s:key>
<s:key name="statusBuckets">0</s:key>
<s:key name="ttl">516</s:key>
<s:key name="performance">
<s:dict>
<s:key name="command.fields">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search">
<s:dict>
<s:key name="duration_secs">0.089</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">0</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.fieldalias">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.index">
<s:dict>
<s:key name="duration_secs">0.005</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="command.search.kv">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="command.search.lookups">
<s:dict>
<s:key name="duration_secs">0.002</s:key>
<s:key name="invocations">2</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.rawdata">
<s:dict>
<s:key name="duration_secs">0.083</s:key>
<s:key name="invocations">2</s:key>
</s:dict>
</s:key>
<s:key name="command.search.tags">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="command.search.typer">
<s:dict>
<s:key name="duration_secs">0.004</s:key>
<s:key name="invocations">4</s:key>
<s:key name="input_count">287</s:key>
<s:key name="output_count">287</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.createProviderQueue">
<s:dict>
<s:key name="duration_secs">0.059</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate">
<s:dict>
<s:key name="duration_secs">0.037</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.evaluate.search">
<s:dict>
<s:key name="duration_secs">0.036</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.fetch">
<s:dict>
<s:key name="duration_secs">0.092</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.readEventsInResults">
<s:dict>
<s:key name="duration_secs">0.110</s:key>
<s:key name="invocations">1</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.stream.local">
<s:dict>
<s:key name="duration_secs">0.089</s:key>
<s:key name="invocations">4</s:key>
</s:dict>
</s:key>
<s:key name="dispatch.timeline">
<s:dict>
<s:key name="duration_secs">0.359</s:key>
<s:key name="invocations">5</s:key>
</s:dict>
</s:key>
</s:dict>
</s:key>
<s:key name="messages">
<s:dict/>
</s:key>
<s:key name="request">
<s:dict>
<s:key name="id">mysearch_02151949</s:key>
<s:key name="search">search index</s:key>
</s:dict>
</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="owner">admin</s:key>
<s:key name="modifiable">true</s:key>
<s:key name="sharing">global</s:key>
<s:key name="app">search</s:key>
<s:key name="can_write">true</s:key>
</s:dict>
</s:key>
<s:key name="searchProviders">
<s:list>
<s:item>mbp15.splunk.com</s:item>
</s:list>
</s:key>
</s:dict>
</content>
</entry>
curl -k -u admin:pass https://localhost:8089/services/search/jobs/{search_id} -d custom.*=UNDONE_curl_param
TBD
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/control -d action=pause
<response><messages><msg type='INFO'>Search job paused.</msg></messages></response>
curl -k -u admin:pass https://localhost:8089/services/search/jobs/1312313809.20/events --get -d f=arch -d f=build -d f=connectionType -d r -d count=3
<results preview='0'>
<meta>
<fieldOrder>
<field>arch</field>
<field>build</field>
<field>connectionType</field>
<field>date_hour</field>
</fieldOrder>
</meta>
<result offset='0'>
<field k='arch'>
<value><text>i686</text></value>
</field>
<field k='build'>
<value><text>98164</text></value>
</field>
<field k='connectionType'>
<value><text>cooked</text></value>
</field>
<field k='date_hour'>
<value><text>19</text></value>
</field>
</result>
<result offset='1'>
<field k='arch'>
<value><text>i686</text></value>
</field>
<field k='build'>
<value><text>98164</text></value>
</field>
<field k='connectionType'>
<value><text>cooked</text></value>
</field>
<field k='date_hour'>
<value><text>19</text></value>
</field>
</result>
<result offset='2'>
<field k='arch'>
<value><text>i686</text></value>
</field>
<field k='build'>
<value><text>98164</text></value>
</field>
<field k='connectionType'>
<value><text>cooked</text></value>
</field>
<field k='date_hour'>
<value><text>19</text></value>
</field>
</result>
</results>
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
{ "init_offset" : 0,
"messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
"type" : "DEBUG"
},
{ "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
"type" : "DEBUG"
}
],
"preview" : false,
"results" : [ { "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
}
]
}
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/results_preview --get -d f=index -d f=source -d f=sourcetype -d count=3 -d output_mode=json
{ "init_offset" : 0,
"messages" : [ { "text" : "base lispy: [ AND index::_internal source::*/metrics.log ]",
"type" : "DEBUG"
},
{ "text" : "search context: user=\"admin\", app=\"search\", bs-pathname=\"/Applications/splunk/etc\"",
"type" : "DEBUG"
}
],
"preview" : false,
"results" : [ { "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
},
{ "index" : "_internal",
"source" : "/Applications/splunk/var/log/splunk/metrics.log",
"sourcetype" : "splunkd"
}
]
}
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mysearch_02151949/search.log
TBD
07-07-2011 21:36:22.066 INFO ApplicationManager - Found application directory: /Applications/splunk4.3/etc/apps/user-prefs
07-07-2011 21:36:22.066 INFO ApplicationManager - Initialized at least 12 applications: /Applications/splunk4.3/etc/apps
07-07-2011 21:36:22.066 INFO ApplicationManager - Found 5 application(s) that might have global exports
07-07-2011 21:36:22.073 INFO dispatchRunner - initing LicenseMgr in search process: nonPro=0
07-07-2011 21:36:22.074 INFO LicenseMgr - Initing LicenseMgr
07-07-2011 21:36:22.075 INFO ServerConfig - My GUID is "1F3A34AE-75DA-4680-B184-5BF309843919".
07-07-2011 21:36:22.075 INFO ServerConfig - My hostname is "ombroso-mbp15.local".
07-07-2011 21:36:22.076 INFO SSLCommon - added zlib compression
07-07-2011 21:36:22.077 INFO ServerConfig - Default output queue for file-based input: parsingQueue.
07-07-2011 21:36:22.077 INFO LMConfig - serverName=mbp15.splunk.com guid=1F3A34AE-75DA-4680-B184-5BF309843919
07-07-2011 21:36:22.077 INFO LMConfig - connection_timeout=30
07-07-2011 21:36:22.077 INFO LMConfig - send_timeout=30
07-07-2011 21:36:22.077 INFO LMConfig - receive_timeout=30
. . . elided . . .
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/summary --get -d f=source -d f=sourcetype -d f=host -d top_count=5
<?xml version='1.0' encoding='UTF-8'?>
<summary earliest_time='1969-12-31T16:00:00.000-08:00' latest_time='1969-12-31T16:00:00.464-08:00' duration='0' c='150375'>
<field k='host' c='150375' nc='0' dc='1' exact='1'>
<modes>
<value c='150375' exact='1'><text>tiny</text></value> </modes>
</field>
<field k='source' c='150375' nc='0' dc='13' exact='1'>
<modes>
<value c='136107' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/metrics.log</text></value> <value c='6682' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd_access.log</text></value> <value c='4656' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/scheduler.log</text></value> <value c='1714' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/web_access.log</text></value> <value c='937' exact='1'><text>/mnt/scsi/steveyz/splunksi/var/log/splunk/splunkd.log</text></value> </modes>
</field>
<field k='sourcetype' c='150375' nc='0' dc='10' exact='1'>
<modes>
<value c='137053' exact='1'><text>splunkd</text></value> <value c='6682' exact='1'><text>splunkd_access</text></value> <value c='4656' exact='1'><text>scheduler</text></value> <value c='1714' exact='1'><text>splunk_web_access</text></value> <value c='193' exact='1'><text>splunk_web_service</text></value> </modes>
</field>
</summary>
curl -k -u admin:pass https://localhost:8089/services/search/jobs/mytestsid/timeline --get -d time_format="%c"
<timeline c='150397' cursor='1312308000'>
<bucket c='7741' a='7741' t='1312308000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 11:00:00 2011</bucket>
<bucket c='7894' a='7894' t='1312311600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 12:00:00 2011</bucket>
<bucket c='7406' a='7406' t='1312315200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 13:00:00 2011</bucket>
<bucket c='6097' a='6097' t='1312318800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 14:00:00 2011</bucket>
<bucket c='6072' a='6072' t='1312322400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 15:00:00 2011</bucket>
<bucket c='6002' a='6002' t='1312326000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 16:00:00 2011</bucket>
<bucket c='6004' a='6004' t='1312329600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 17:00:00 2011</bucket>
<bucket c='5994' a='5994' t='1312333200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 18:00:00 2011</bucket>
<bucket c='6037' a='6037' t='1312336800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 19:00:00 2011</bucket>
<bucket c='6021' a='6021' t='1312340400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 20:00:00 2011</bucket>
<bucket c='6051' a='6051' t='1312344000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 21:00:00 2011</bucket>
<bucket c='6006' a='6006' t='1312347600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 22:00:00 2011</bucket>
<bucket c='6041' a='6041' t='1312351200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Tue Aug 2 23:00:00 2011</bucket>
<bucket c='5993' a='5993' t='1312354800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 00:00:00 2011</bucket>
<bucket c='6040' a='6040' t='1312358400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 01:00:00 2011</bucket>
<bucket c='5993' a='5993' t='1312362000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 02:00:00 2011</bucket>
<bucket c='6061' a='6061' t='1312365600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 03:00:00 2011</bucket>
<bucket c='5995' a='5995' t='1312369200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 04:00:00 2011</bucket>
<bucket c='5988' a='5988' t='1312372800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 05:00:00 2011</bucket>
<bucket c='6042' a='6042' t='1312376400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 06:00:00 2011</bucket>
<bucket c='5998' a='5998' t='1312380000.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 07:00:00 2011</bucket>
<bucket c='6055' a='6055' t='1312383600.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 08:00:00 2011</bucket>
<bucket c='5997' a='5997' t='1312387200.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 09:00:00 2011</bucket>
<bucket c='5994' a='5994' t='1312390800.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 10:00:00 2011</bucket>
<bucket c='875' a='875' t='1312394400.000' d='3600' f='1' etz='-25200' ltz='-25200'>Wed Aug 3 11:00:00 2011</bucket>
</timeline>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/parser --get -d output_mode=json -d q="search index=os sourcetype=cpu"
{
"remoteSearch": "litsearch | fields keepcolorder=t \"host\" \"index\" \"linecount\" \"source\" \"sourcetype\" \"splunk_server\"",
"remoteTimeOrdered": true,
"eventsSearch": "search ",
"eventsTimeOrdered": true,
"eventsStreaming": true,
"reportsSearch": "",
"commands": [
{
"command": "search",
"rawargs": "",
"pipeline": "streaming",
"args": {
"search": [""],
}
"isGenerating": true,
"streamType": "SP_STREAM",
},
]
}
curl -k -u admin:pass https://localhost:8089/services/search/scheduler
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler</id>
<updated>2015-06-09T13:23:38-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/scheduler/_acl" rel="_acl"/>
<opensearch:totalResults>1</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
<entry>
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler/scheduler</id>
<updated>2015-06-09T13:23:38-07:00</updated>
<link href="/services/search/scheduler/scheduler" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/search/scheduler/scheduler" rel="list"/>
<link href="/services/search/scheduler/scheduler" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="disabled">0</s:key>
<s:key name="eai:acl">
<s:dict>
<s:key name="app"></s:key>
<s:key name="can_list">1</s:key>
<s:key name="can_write">1</s:key>
<s:key name="modifiable">0</s:key>
<s:key name="owner">system</s:key>
<s:key name="perms">
<s:dict>
<s:key name="read">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
<s:key name="write">
<s:list>
<s:item>admin</s:item>
<s:item>splunk-system-role</s:item>
</s:list>
</s:key>
</s:dict>
</s:key>
<s:key name="removable">0</s:key>
<s:key name="sharing">system</s:key>
</s:dict>
</s:key>
<s:key name="saved_searches_disabled">0</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -ku admin:pass -XPOST https://localhost:8089/services/search/scheduler/status -d disabled=1
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>scheduler</title>
<id>https://localhost:8089/services/search/scheduler</id>
<updated>2015-06-09T13:40:21-07:00</updated>
<generator build="6cfc0237739f" version="6.3.0"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/search/scheduler/_acl" rel="_acl"/>
<opensearch:totalResults>0</opensearch:totalResults>
<opensearch:itemsPerPage>30</opensearch:itemsPerPage>
<opensearch:startIndex>0</opensearch:startIndex>
<s:messages/>
</feed>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/timeparser --get -d time=-12h -d time=-24h
<response>
<dict>
<key name="-12h">2011-07-06T21:54:23.000-07:00</key>
<key name="-24h">2011-07-06T09:54:23.000-07:00</key>
</dict>
</response>
curl -k -u admin:pass https://localhost:8089/servicesNS/admin/search/search/typeahead --get -d count=3 -d prefix=source -d output_mode=json
{ "results" : [ { "content" : "source=\"sampledata.zip:./apache1.splunk.com/access_combined.log\"",
"count" : 9199,
"operator" : false
},
{ "content" : "source=\"sampledata.zip:./apache2.splunk.com/access_combined.log\"",
"count" : 27705,
"operator" : false
},
{ "content" : "source=\"sampledata.zip:./apache3.splunk.com/access_combined.log\"",
"count" : 27888,
"operator" : false
}
]
}
| This page is currently a work in progress; expect frequent near-term updates. |
Manage server configuration settings and messages.
See Introspection endpoint descriptions for the system endpoints related to introspection.
https://<host>:<mPort>/services/messages
Authentication: Not required
Provides access to Splunk Enterprise system messages. Most messages are created by splunkd to inform the user of system problems.
Splunk Web typically displays these as bulletin board messages.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerate all systemwide messages. | XML, JSON |
| POST | Create a persistent message displayed at /services/messages. | XML, JSON |
messages method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| restart_required | Splunk Enterprise system message indicating that restarting Splunk Enterprise is required. |
This is typically used for splunkd to advertise issues such as license quotas, license expirations, misconfigured indexes, and disk space.
messages method detail| Name | Type | Default | Description |
|---|---|---|---|
| <name> required | String | Message name (key). | |
| severity | String | Message severity level:
| |
| value required | String | Message text. |
None
[ Top ]
https://<host>:<mPort>/services/messages/{name}
Authentication: Not required
Manage the message associated with the {name} message ID.
| Method | Description | Formats |
|---|---|---|
| DELETE | Deletes a message identified by {name}. | XML, JSON |
| GET | Get the entry corresponding to a single message identified by {name} | XML, JSON |
messages/{name} method detailNone
None
The method returns HTTP status code = 500, if {name} message does not exist.
messages/{name} method detailNone
| Name | Description |
|---|---|
| message | The system message. |
[ Top ]
https://<host>:<mPort>/services/server/control
Authentication: Not required
Allows access to controls, such as restarting server.
| Method | Description | Formats |
|---|---|---|
| GET | Lists the actions that can be performed at this endpoint. | XML, JSON |
server/control method detailNone
None
[ Top ]
https://<host>:<mPort>/services/server/control/restart
Authentication: Required
Restart Splunk Enterprise splunkd server daemon and splunkweb Web interface.
| Method | Description | Formats |
|---|---|---|
| POST | Restart Splunk Enterprise splunkd server daemon and splunkweb Web interface. | XML, JSON |
server/control/restart method detailNone
None
This interface is equivalent to the splunk restart CLI command.
HTTP status code 200 indicates successful restart.
[ Top ]
https://<host>:<mPort>/services/server/control/restart_webui
Authentication: Not required
Restart Splunk Web interface.
| Method | Description | Formats |
|---|---|---|
| POST | Restart Splunk Web interface. | XML, JSON |
server/control/restart_webui method detailNone
None
This interface is equivalent to the splunk restart splunkweb CLI command, and restarts the Web interface on servers with the default app server mode set.
HTTP status code 200 indicates successful restart.
[ Top ]
https://<host>:<mPort>/services/server/logger
Authentication: Not required
Provides access to splunkd logging categories, either specified in code or in $SPLUNK_HOME/etc/log.cfg.
| Method | Description | Formats |
|---|---|---|
| GET | Enumerates all splunkd logging categories, either specified in code or in $SPLUNK_HOME/etc/log.cfg | XML, JSON |
server/logger method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| level | Logger level for this server.
Valid values: (FATAL | WARN | INFO | DEBUG) |
[ Top ]
https://<host>:<mPort>/services/server/logger/{name}
Authentication: Not required
Manage the {name} logging category.
| Method | Description | Formats |
|---|---|---|
| GET | Describes a specific splunkd logging category. | XML, JSON |
| POST | Sets the logging level for a specific logging category. | XML, JSON |
server/logger/{name} method detailNone
| Name | Description |
|---|---|
| level | Logger level for this server.
Valid values: (FATAL | WARN | INFO | DEBUG) |
server/logger/{name} method detail| Name | Type | Default | Description |
|---|---|---|---|
| level required | Enum | Valid values: (FATAL | WARN | INFO | DEBUG)
The desired logging level for this category. |
None
[ Top ]
https://<host>:<mPort>/services/server/roles
Authentication: Not required
Access the server role information. A server can have zero or more of the following roles:
indexer universal_forwarder heavyweight_forwarder lightweight_forwarder license_master license_slave cluster_master cluster_slave cluster_search_head deployment_server deployment_client search_head search_peer
See also: /server/info endpoint, server-roles attribute.
| Method | Description | Formats |
|---|---|---|
| GET | Get the roles applicable to this server. | XML, JSON |
server/roles method detailNone
| Name | Description |
|---|---|
| <variable> | List of defined roles, from the following possible server roles:
|
[ Top ]
https://<host>:<mPort>/services/server/settings
Authentication: Not required
Provides access to server configuration information for an instance of Splunk.
| Method | Description | Formats |
|---|---|---|
| GET | Returns the server configuration of an instance of Splunk. | XML, JSON |
server/settings method detailPagination and filtering parameters can be used with this method.
| Name | Description |
|---|---|
| SPLUNK_DB | Absolute filepath to the default index for this instance of Splunk. |
| SPLUNK_HOME | Absolute filepath to the local installation of this instance of Splunk. |
| enableSplunkWebSSL | Indicates if https and SSL is enabled for Splunk Web. |
| host | The default hostname to use for data inputs that do not override this setting. |
| httpport | Port on which Splunk Web is listening for this instance of Splunk Enterprise.
Defaults to 8000. If using SSL, set to the HTTPS port number. |
| mgmtHostPort | The port on which Splunk Web is listening for management operations. Defaults to 8089. |
| minFreeSpace | Safe amount of space in MB that must exist for splunkd to continue operating.
minFreespace affects search and indexing: Before attempting to launch a search, splunk requires this amount of free space on the filesystem where the dispatch directory is stored ($SPLUNK_HOME/var/run/splunk/dispatch). Applied similarly to the search quota values in authorize.conf and limits.conf. For indexing, periodically, the indexer checks space on all partitions that contain splunk indexes as specified by indexes.conf. When you need to clear more disk space, indexing is paused and Splunk Enterprise posts a UI banner + warning. |
| pass4SymmKey | Password string that is prefixed to the Splunk Enterprise symmetric key, generating the final key to sign all traffic between master/slave licenser. |
| serverName | Name used to identify this Splunk Enterprise instance for features such as distributed search. |
| sessionTimeout | Time range string to set the amount of time before a user session times out, expressed as a search-like time range. Default is 1h (one hour).
For example: 24h: (24 hours) 3d: (3 days) 7200s: (7200 seconds, or two hours) |
| startwebserver | Indicates if Splunk Web is started. |
| trustedIP | The IP address of the authenticating proxy. Set to a valid IP address to enable SSO.
Disabled by default. Normal value is '127.0.0.1' |
[ Top ]
curl -k -u admin:changeme https://localhost:8089/services/messages
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>messages</title>
<id>https://localhost:8089/services/messages</id>
<updated>2011-07-08T01:14:21-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/messages/_new" rel="create"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>restart_required</title>
<id>https://localhost:8089/services/messages/restart_required</id>
<updated>2011-07-08T01:14:21-07:00</updated>
<link href="/services/messages/restart_required" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/messages/restart_required" rel="list"/>
<link href="/services/messages/restart_required" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="restart_required">Splunk must be restarted for changes to take effect.</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/messages -d name=helloMessage -d value="hello world" -d severity="info"
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>messages</title>
<id>https://localhost:8089/services/messages</id>
<updated>2014-02-20T10:24:02-08:00</updated>
<generator build="197187" version="6.1beta"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/messages/_new" rel="create"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>helloMessage</title>
<id>https://localhost:8089/services/messages/helloMessage</id>
<updated>2014-02-20T10:24:02-08:00</updated>
<link href="/services/messages/helloMessage" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/messages/helloMessage" rel="remove"/>
<content type="text/xml">
<s:dict>
<s:key name="helloMessage">"hello world"</s:key>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="message">"hello world"</s:key>
<s:key name="severity">info</s:key>
<s:key name="timeCreated_epochSecs">1392920642</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme --request DELETE https://localhost:8089/services/messages/message
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>messages</title>
<id>https://localhost:8089/services/messages</id>
<updated>2011-07-08T01:14:21-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/messages/_new" rel="create"/>
... opensearch elements elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/messages/message
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>messages</title>
<id>https://localhost:8089/services/messages</id>
<updated>2011-07-08T01:14:21-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/messages/_new" rel="create"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>message</title>
<id>https://localhost:8089/services/messages/message</id>
<updated>2011-07-08T01:14:21-07:00</updated>
<link href="/services/messages/message" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/messages/message" rel="list"/>
<link href="/services/messages/message" rel="remove"/>
<content type="text/xml">
<s:dict>
... eai:acl node elided ...
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list/>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="message">hello world</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/control
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>server-control</title>
<id>https://localhost:8089/services/server/control</id>
<updated>2011-07-12T00:17:53-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/server/control/restart" rel="restart"/>
... opensearch elements elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/control/restart -X POST
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>server-control</title>
<id>https://localhost:8089/services/server/control</id>
<updated>2014-08-05T13:02:50-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/server/control/restart" rel="restart"/>
<link href="/services/server/control/restart_webui" rel="restart_webui"/>
... opensearch nodes elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/control/restart_webui -X POST
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>server-control</title>
<id>https://localhost:8089/services/server/control</id>
<updated>2014-08-05T12:10:37-07:00</updated>
<generator build="221120" version="6.2"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/server/control/restart" rel="restart"/>
<link href="/services/server/control/restart_webui" rel="restart_webui"/>
... opensearch elements elided ...
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/logger
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>logger</title>
<id>https://mrt:8089/services/server/logger</id>
<updated>2011-05-16T20:29:38-0700</updated>
<generator version="98144"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>AdminHandler:AuthenticationHandler</title>
<id>https://mrt:8089/services/server/logger/AdminHandler%3AAuthenticationHandler</id>
<updated>2011-05-16T20:29:38-0700</updated>
<link href="/services/server/logger/AdminHandler%3AAuthenticationHandler" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/logger/AdminHandler%3AAuthenticationHandler" rel="list"/>
<link href="/services/server/logger/AdminHandler%3AAuthenticationHandler" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="level">WARN</s:key>
</s:dict>
</content>
</entry>
.
.
.
elided
.
.
.
<entry>
<title>Application</title>
<id>https://mrt:8089/services/server/logger/Application</id>
<updated>2011-05-16T20:29:38-0700</updated>
<link href="/services/server/logger/Application" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/logger/Application" rel="list"/>
<link href="/services/server/logger/Application" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="level">WARN</s:key>
</s:dict>
</content>
</entry>
<entry>
<title>ApplicationManager</title>
<id>https://mrt:8089/services/server/logger/ApplicationManager</id>
<updated>2011-05-16T20:29:38-0700</updated>
<link href="/services/server/logger/ApplicationManager" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/logger/ApplicationManager" rel="list"/>
<link href="/services/server/logger/ApplicationManager" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="level">WARN</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/logger/Application
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:s="http://dev.splunk.com/ns/rest"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>logger</title>
<id>https://localhost:8089/services/server/logger</id>
<updated>2011-07-02T15:10:44-07:00</updated>
<generator version="100492"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>Application</title>
<id>https://localhost:8089/services/server/logger/Application</id>
<updated>2011-07-02T15:10:44-07:00</updated>
<link href="/services/server/logger/Application" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/logger/Application" rel="list"/>
<link href="/services/server/logger/Application" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">... elided ...</s:key>
<s:key name="eai:attributes">
<s:dict>
<s:key name="optionalFields">
<s:list/>
</s:key>
<s:key name="requiredFields">
<s:list>
<s:item>level</s:item>
</s:list>
</s:key>
<s:key name="wildcardFields">
<s:list/>
</s:key>
</s:dict>
</s:key>
<s:key name="level">WARN</s:key>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/logger/Application -d level=INFO
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>logger</title>
<id>https://localhost:8089/services/server/logger</id>
<updated>2011-07-07T00:24:02-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
<s:messages/>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/roles
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest" xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/">
<title>server-roles</title>
<id>https://localhost:8089/services/server/roles</id>
<updated>2014-04-02T12:13:07-07:00</updated>
<generator build="200839" version="6.1"/>
<author>
<name>Splunk</name>
</author>
<link href="/services/server/roles/catalog_allPossible_predefined" rel="catalog_allPossible_predefined"/>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>result</title>
<id>https://localhost:8089/services/server/roles/result</id>
<updated>2014-04-02T12:13:07-07:00</updated>
<link href="/services/server/roles/result" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/roles/result" rel="list"/>
<content type="text/xml">
<s:dict>
<s:key name="eai:acl">
... elided ...
</s:key>
<s:key name="indexer"/>
<s:key name="license_master"/>
<s:key name="license_slave"/>
</s:dict>
</content>
</entry>
</feed>
curl -k -u admin:changeme https://localhost:8089/services/server/settings
<feed xmlns="http://www.w3.org/2005/Atom"
xmlns:opensearch="http://a9.com/-/spec/opensearch/1.1/"
xmlns:s="http://dev.splunk.com/ns/rest">
<title>server-settings</title>
<id>https://localhost:8089/services/server/settings</id>
<updated>2011-07-08T01:56:40-07:00</updated>
<generator version="102807"/>
<author>
<name>Splunk</name>
</author>
... opensearch elements elided ...
<s:messages/>
<entry>
<title>settings</title>
<id>https://localhost:8089/services/server/settings/settings</id>
<updated>2011-07-08T01:56:40-07:00</updated>
<link href="/services/server/settings/settings" rel="alternate"/>
<author>
<name>system</name>
</author>
<link href="/services/server/settings/settings" rel="list"/>
<link href="/services/server/settings/settings" rel="edit"/>
<content type="text/xml">
<s:dict>
<s:key name="SPLUNK_DB">/home/amrit/temp/curl/splunk/var/lib/splunk</s:key>
<s:key name="SPLUNK_HOME">/home/amrit/temp/curl/splunk</s:key>
... eai:acl node elided ...
<s:key name="enableSplunkWebSSL">0</s:key>
<s:key name="host">MrT</s:key>
<s:key name="httpport">8001</s:key>
<s:key name="mgmtHostPort">8085</s:key>
<s:key name="minFreeSpace">2000000</s:key>
<s:key name="pass4SymmKey">changeme</s:key>
<s:key name="serverName">MrT</s:key>
<s:key name="sessionTimeout">1h</s:key>
<s:key name="startwebserver">1</s:key>
<s:key name="trustedIP"/>
</s:dict>
</content>
</entry>
</feed>